Wireless Access

Hey guys,

I need to set-up a wireless client bridge (HP 501) on my WLAN. It's working in workgroup bridge mode.

I can connect it to my network using a open SSID or PEAP but I can't have it working with EAP-TLS.

The product documentation is quite poor and doesn't explain well, i'm not sure if I need to install a client or a server certificate on it ?

Also there is 2 mandatory fields : one for username and one for password. 

 

Here's a screenshot from the documentation

 

 

I just completed a CSR and sent it to the CA, I don't really get the ''Identity'' field.

Any help would be appreciated :)

You should need a client certificate sourced from the same PKI as your RADIUS server's cert so that it's trusted. Not sure about any identity field, that may be a question for HP-s supporth with the 501. I've never seen anyoe do TLS with the 501, only PEAP. 

---

@jhoward wrote:

You should need a client certificate sourced from the same PKI as your RADIUS server's cert so that it's trusted. Not sure about any identity field, that may be a question for HP-s supporth with the 501. I've never seen anyoe do TLS with the 501, only PEAP. 

---

Yes, I will open a ticket with HP to have more details !

 

I guess any 3rd party bridge is the same scenario ? maybe someone around the airheads community knows :)

Did you ever get this worked out? We are seeing a similar issue even though the cert comes from the same PKI.

---

@agriffin wrote:

Did you ever get this worked out? We are seeing a similar issue even though the cert comes from the same PKI.

---

Hi, yes, the problem was due to the identity field which wasn't accepting enough character even tho it appeared correctly in the GUI.

 

We had this resolved with engineering and help from our local SE in firmware version 1.0.1.1 : [ 182619 ] Increased the maximum allowable characters for the EAP-TLS Identify field

I would also highly suggest you to update to version 2.0.0.0 which just came out 2-3 weeks ago. It now supports using Aruba ARP optimization feature which is a good thing.

Cheers,

Any chance you can elaborate on how you got this to work with EAP-TLS? I tried issuing an onboard certificate to it so that its signed by the radius server. Then I exported a .pem format and used the username as the "identity" field and the user password as the private key. In clearpass i keep getting EAP requests with an error saying EAP method unsupported. I know its no clearpass becuase i have EAP-TLS clients connected already. ANY help is appreciated.

Sorry I can't see the full post at the moment as I'm vacationing down under, but I suspect the issue is your pem - does it have the private key, user cert and root cert all in the file? Also, the user password doesn't go in the private key field. When you export the cert including the private key, it should ask you to create a password at the time of export - that's what should go there.

Hopefully this helps!
Al

---

@Ctristan wrote:

Any chance you can elaborate on how you got this to work with EAP-TLS? I tried issuing an onboard certificate to it so that its signed by the radius server. Then I exported a .pem format and used the username as the "identity" field and the user password as the private key. In clearpass i keep getting EAP requests with an error saying EAP method unsupported. I know its no clearpass becuase i have EAP-TLS clients connected already. ANY help is appreciated.

---

If you can post more details about logs and error you receive and also how you are setup maybe I can help :)

As of me, I issued the bridge a standard Wi-Fi user certificate with a separate private key and then do the following openssl to concatenate them into a .pem

 

$ openssl pkcs12 -export -in hostname.crt -inkey hsotname.key -out hostname.p12
$ openssl pkcs12 -in hostname.p12 -nodes -out hostname.pem

 Then you add a password to it and import it to the bridge with the previously typed password.

 

Make sure also the root is trusted in the RADIUS server.

 

Thanks,

Hello,

I still have the issue. I exported a cert from clearpass and checked the box "include cert chain" I then imported the cert and pkey. The format is comeo out as is a .pem. I upload it into the bridge and use the account username as the identity and the password i used to export the cert.

 

Everything seems okay but within clearpass I see a error in the request stating "Type-EAP" & Client does not support configured EAP methods. I am sure I am selecting EAP TLS and the certificate is uploaded.