Wireless Access

Reply

About Instant AP certificates and PEAP authentication

Hi guys,

 

Actually I have a network of Instant APs where the clients authenticate against a RADIUS server with username and password (PEAP) in order to connect to the corporate SSID. Because the RADIUS server doesn't have a certificate I have enabled EAP offload, so the IAP acts as the authentication server and is which sends the certificate to clients. Because clients don't have that certificate in their certificate list, they get a untrusted server warning and have to accept before connecting to the network. I am begginer with certificates so I have two doubts:

 

  1. When EAP offload is enabled, which certificate is sent to clients, the AP's certificate where the client is connected to or the master AP's certificate?
  2. Is possible to import the Instant AP certificate into the client to avoid getting the warning of untrusted server?

Regards,

Julián

Guru Elite

Re: About Instant AP certificates and PEAP authentication

  • You should not use legacy EAP methods like PEAP
  • You should not be terminating EAP on the NAD. Use a RADIUS server.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: About Instant AP certificates and PEAP authentication

Hi Tim,

 

Thanks for the reply. I know that EAP-TLS is more secure than PEAP and that enabling EAP offload is not a good practice, and is better to use the RADIUS server certificate. But my doubts are not related to best practices but how the certificates are treated in Instant when EAP offload is enabled.

 

  1. When EAP offload is enabled, which certificate is sent to clients, the AP's certificate where the client is connected to or the master AP's certificate?
  2. Is possible to import the Instant AP certificate into the client to avoid getting the warning of untrusted server?

 

Regards,

Julián

Re: About Instant AP certificates and PEAP authentication

As said, you should not do it. But to answer your questions for educational purposes:

 

When EAP offload is enabled, which certificate is sent to clients, the AP's certificate where the client is connected to or the master AP's certificate?

With eap termination or eap offload, the AP will terminate the PEAP outer tunnel with its (eap) certificate. The MSCHAPv2 will be forwarded to the RADIUS server. Again, you should not be using PEAP-MSCHAPv2 in production, so the answer is for educational purposes only.

 

Is possible to import the Instant AP certificate into the client to avoid getting the warning of untrusted server?

You can, similar to when the certificate is not on the AP, (pre)configure your client with the CA that issued the AP/RADIUS-server certificate and the proper certificate validation. Never let users self-configure this, as if they don't put each tickbox right you will get an insecure situation.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

Re: About Instant AP certificates and PEAP authentication

Hi Herman,

 

Thanks for your interest. About the second point:

 

You can, similar to when the certificate is not on the AP, (pre)configure your client with the CA that issued the AP/RADIUS-server certificate and the proper certificate validation.

 

What CA should my client trust? I don't know what is the certificate the AP uses for EAP, it has many (Default Server Certificate, Current CP Server Certificate and Device Certificate), look at this:

 

P4-W04# show cert all

Default Server Certificate:
Version :3
Serial Number :01:DA:52
Issuer :/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
Subject :/serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF/C=US/O=securelogin.arubanetworks.com/OU=GT28470348/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=securelogin.arubanetworks.com
Issued On :May 11 01:22:10 2011 GMT
Expires On :Aug 11 04:40:59 2017 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

 

Version :3
Serial Number :02:36:D2
Issuer :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject :/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
Issued On :Feb 26 21:32:31 2010 GMT
Expires On :Feb 25 21:32:31 2020 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

 

Version :3
Serial Number :02:34:56
Issuer :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Issued On :May 21 04:00:00 2002 GMT
Expires On :May 21 04:00:00 2022 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

 

Current CP Server Certificate:
Version :3
Serial Number :0D:18:23:89:16:76:A4:13:92:D9:3E:EA:03:DE:DD:18
Issuer :/C=US/O=DigiCert Inc/CN=DigiCert Global CA G2
Subject :/C=US/ST=California/L=Palo Alto/O=Hewlett Packard Enterprise Company/OU=Aruba Networks/CN=securelogin.hpe.com
Issued On :Feb 12 00:00:00 2018 GMT
Expires On :Feb 13 12:00:00 2019 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits

 

Version :3
Serial Number :03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
Issuer :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
Subject :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
Issued On :Aug 1 12:00:00 2013 GMT
Expires On :Jan 15 12:00:00 2038 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits

 

Version :3
Serial Number :0C:8E:E0:C9:0D:6A:89:15:88:04:06:1E:E2:41:F9:AF
Issuer :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
Subject :/C=US/O=DigiCert Inc/CN=DigiCert Global CA G2
Issued On :Aug 1 12:00:00 2013 GMT
Expires On :Aug 1 12:00:00 2028 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits

 

Device Certificate:
Version :3
Serial Number :21:8F:5B:7C:00:00:00:03:8B:74
Issuer :/UID=com/UID=arubanetworks/UID=devicesign/CN=Aruba Networks Trusted Computing Issuing CA 2
Subject :/CN=CNDQHN725W::20:a6:cd:cb:5c:de
Issued On :Aug 18 12:43:59 2017 GMT
Expires On :Sep 14 03:21:14 2032 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits

P4-W04#

 

The issuers are GeoTrust, DigiCert and Aruba Networks. Which one?

 

Regards,

Julián

 

Guru Elite

Re: About Instant AP certificates and PEAP authentication

The signing CA of your EAP server certificate.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: About Instant AP certificates and PEAP authentication

Hi Tim,

 

But in the case the AP sends the certificate to clients, which certificate will it use? You can see in the previous output the AP has three certificates: Default Server Certificate, Current CP Server Certificate and Device Certificate. Which one?

 

Regards,

Julián

Guru Elite

Re: About Instant AP certificates and PEAP authentication

You need to upload an EAP server certificate. You cannot use hte defaults.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: About Instant AP certificates and PEAP authentication

But in Instant if you enable EAP offload, the AP sends one of its default certificates to the clients and works fine, but I don't which one. You don't need to upload an EAP certificate for this to work.

Regards,
Julián
Guru Elite

Re: About Instant AP certificates and PEAP authentication

You cannot use the default certificates. You need to acquire an EAP server certificate.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: