Wireless Access

Reply
Contributor II
Posts: 41
Registered: ‎10-02-2012

EAP-TLS configuration

Hi,

 

I got 1-2 question :

 

What is the difference between "Termination EAP-Type" and "Termination Inner EAP-Type". In witch way they interact with each other ?

 

We have a Radius Server. We want to have 2 way of authentification : User/Password (witch already working well) and certificate who validate that the device is a Compagny device. We already have each of our devices been delivered with a certificate when they first authenticate on the domain.

 

Is that possible to only validate the computer ? We don't want to use User/Password over a Certificate.

MVP
Posts: 2,989
Registered: ‎10-25-2011

Re: EAP-TLS configuration

Hello

Answering your questions

 

EAP Termination on controller only the user authentication is passed to the radius server

EAP  Termination is good in situations where the raidus server is not local to the controller,  So the eap process and most of the traffic is terminate at the controller

 

This is normally used when the radius server is not local to the wireless controller for example you got the radius server in a datacenter in somewhere else and you got your controller in the central site.

 

For your second question let me explain you

 

There are 2 flavors of EAP

 

EAP  PEAP: This does a 2 way authentication, the client authenticate the server with a certificate, and the server authenticate the user with mschapv2(user and password)

The level of security here is high

 

EAP TLS: This does 2 way authentication, the client authenticate the server with the certificate, and the server authenticate the user with a certificate also. 

The lever of security here is VERY HIGH.

 

It is possible with aruba to use

EAP PEAP + Machine authentication

 

EAP TLS + Machine authentication

 

Machine authentication = it validates that the computer belongs to the AD group you select in the network policy rule on the NPS.

 

So you add another layer of security.

 

Now as far i understand you

You would like to use EAP TLS, but you will need to use a user certificate! not a machine certificate on your clients....

You will need a user certificates on the clients...

 

EAP PEAP is secure as long as you configure the clients correctly... if you dont then thats the problem.

 

Anyways if you want the highest security then implement EAP TLS

 

I dont know if this answer your question???

 

 

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 41
Registered: ‎10-02-2012

Re: EAP-TLS configuration

Very good awnser ! But there is more to clarify :)

 

For the Termination,, it's EAP type and Inner EAP type. What's is the difference between them ? I understand the standart on each line like EAP-PEAP or EAP-TLS.

 

But witch come first in the process ? Can I only choose one of both need to be configure ? It's hard to explain as english is not my primary language but I just can't find why one is "Inner" and not the other. :)

 

And with your explanation, it's more clear to me now. We were trying to authenticate a laptop with a certificate. Because there is local computer or local user certificates no ? With or corporate VPN (witch is not me who configurate it), we are able to authenticate device with a cert directly in the local computer store. No need to have a user/password.

 

So EAP-TLS is only for user/password auth with a certificate ? And for my need, i'll have to use EAP-PEAP with Machine Auth ?

 

Is there a tutorial for configuring Machine Auth correctly ?

 

Thanks for your time !

MVP
Posts: 2,989
Registered: ‎10-25-2011

Re: EAP-TLS configuration

If you found my post helpful please kudo it and if it resolve your questions please click on accept as solution.

 

Answering your questions

For more information ill give you a link about this.  it has good information which will asnwer your first question i guess

http://community.arubanetworks.com/t5/Community-Knowledge-Base/EAP-The-Basics/ta-p/25380

 

You have to choose one, you cannot choose 2....

In your Pc clients you just can configure 1 you configure EAP PEAP  or EAP TLS you cannot configure both..

What you can do is  configure EAP PEAP + Machine Enforment + DHCP Enforment(if you use DHCP)

you can also configure EAP TLS + Machine Enforment + DHCP Enforment...

 

For example i did a deployment in a bank... for now we got EAP PEAP + Machine Enforment + DHCP Enforment  but we want to move it to EAP TLS + Machine Enforment + DHCP Enforment to increase security.

 

Now if you got  a internal Certificantion Authority, you can deploy to your users user Cetificates, for example if you do it manuall you will have to  request it on the mmc... or via web...you need to have the user template available for this.  If you do this then you will be able to deploy EAP TLS if not then you just can do EAP PEAP.

 

Now the certificate you are referring of the machine I THINK you mean the one that it appears when you click on EAP Protected properties on the list of trusted root certifiation... which is the thing that the computer use ot know if he can trust in that root.. which can be verisign or godaddy or in this case your internal root certification.

 

Here is a manual i made of how you should configure EAP PEAP Correctly

 

http://community.arubanetworks.com/t5/Authentication-and-Access/Correctly-configure-EAP-PEAP-Windows-client/m-p/43398

 

im not an expert in PKI... i just know the basics... my manager is the one that is an expert in that! so i cannot give you too much info about it. sorry  

 

About how to configure the machine authentication well mmmm there is not a tutorial that i remenber of.... but in the next post ill try to expllain you.

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,989
Registered: ‎10-25-2011

Re: EAP-TLS configuration

Machine authentication

 

Let say you already configured correctly EAP PEAP , you ust got that working now lets add the machine enforment which is the machine authentication  to add another layer of security

 

1-You go to the NPS console.

2-You go to network Security policies

3-Add a new network security policy, you add the computer group you want that get access(for example previus to all this you will need to create a group called for example WLANMachines on Active directory and put all the machines that are allow in the WLAN)

4-You click next next next finish.

5-you put that rule int he first place in the second place you place the network policy of EAP PEAP you created(they need to be on separated policies

6-You go to the wireless controller go to configuration go to security then aaa profile you go to the profile you using on your ssid then you go to the 802.1x profile inside it and click on the checkmark of enforce machine

7-On machine authentication default role and user role use a deny all role on it as you dont want they get any access to anywhere after JUST machine authenticate.... they will need to authenticate also via EAP PEAP before granting access.

 

Note: you will only be able to authenticate machines when you log in or log off windows...

If you try to do this when you logged and then you try to connect to the network you will be not able to... you need to log off then log in and it should work....

 

Hope this helps.. if its not working you will have to wait a bit... im not at home so i got no ssl access to my remote lab to check everything... im tellingyou out of my mind... how to configure it.

 

BTW whats your native language? mine is spanish...

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 41
Registered: ‎10-02-2012

Re: EAP-TLS configuration

[ Edited ]

French, from Quebec :)

 

So I want to go step by step. Only with EAP-PEAP :

 

I did the configuration on my NPS. Here is a screenshot on test laptop :

Capture.PNG

 

So I found out with your procedure that I need to check "Do not promt user to authorize ... " If we don't, the user can only press "continue" on a prompt saying that the certificate is not validated. But with continue option, the connection is made correctly... This is my first question. I'm right ?

 

After that, if I left the field "Connect to these servers" not checked, with no Trusted Root check, it work...

 

Then : "Connect to these servers" check with the field blank and no Trusted Root check, it prompt me that it cannot connect to the network.

 

And finally if i do it like my screenshot, with the name of the server with no Trusted Root, it work... There is something that i don't get... In witch case it won't work if the client is enable to authenticate the serveur with a certified root ?

 

Contributor II
Posts: 41
Registered: ‎10-02-2012

Re: EAP-TLS configuration

And what happen if a none user of our compagny try to connect to that network ? If he doesn't have the "Validate server certificate" check, will he be able to connect if he have the right credentials ?

 

Here is my thought :

 

If "Validate server certificate" is uncheck, he souldn't be able to connect.

If the box is check, then he should have the right Trusted root check to validate the server. If he doesn't have it, he shouldn't be able to connect.

 

Am I understand the utility of EAP-PEAP right ?

 

Or all that stuff should only be validated by Machine Auth ?

Contributor II
Posts: 41
Registered: ‎10-02-2012

Re: EAP-TLS configuration

Found it !!

 

**bleep** god... As I said, I remove the Trusted Root certificate from my laptop test and I was still able to connect. But I found that the certificate what somewhere else too. In MMC :

 

Console Root

  Certificates - Local Computer

      Trusted Root Certification Authorities : Previously deleted the Cert here.

 

      Intermediate Certification Authorities : There was still our certificate here !

 

Now it work like a charm :

 

-When I remove the cert, nothing work exept uncheck the "Validate server certificate".

-When I add it, it work again. The only thing is that I don't need to check my Trusted Root Cert in the list. Is that normal ?

 

 

 

MVP
Posts: 2,989
Registered: ‎10-25-2011

Re: EAP-TLS configuration

Hello

Let answer your questions

when you select checkbox Donot prompt user to authorize new servers or trusted root certifcate, If you enable this option, the user is not presented with the UI that may be difficult for the user to understand. Therefore, the user cannot select an unapproved root certification authority.

 

Now ill give you another link where i read some interesting stuff about this, check this out

 

http://support.microsoft.com/kb/941123

 

Your other question was

When I add it, it work again. The only thing is that I don't need to check my Trusted Root Cert in the list. Is that normal

 

Well I bealive that when you do not select any he search in all the root certs you got in the list.. if one applies then he uses that one but it better to specify it...

 

Now i recommend you to apply this via group policy and that the user cannot change that...

 

Now you doing all this is because to boost the security in your eap peap config... attackers get in with misconfigured EAP PEAP...

To make it work you don tneed to select a server or anythingl like that but then the EAP PEAP is misconfigured and then a man in the middle attack can be launched.

 

Anyways how i didnt miss answering any of your questions.

 

Cheers

Carlos

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 41
Registered: ‎10-02-2012

Re: EAP-TLS configuration

It's me again !

 

I have now some problems with the Machine Authentification.

Currently on trying to made it work only with M-Auth (for testing purpose). Here is the log that i got from the command :show auth-tracebuf count x

 

Nov  1 10:52:37  station-up             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -    wpa2 aes

Nov  1 10:52:37  m-auth req             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:37  m-auth resp            *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -    failed

Nov  1 10:52:37  wpa2-key1             <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   117

Nov  1 10:52:37  eap-start             ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:37  eap-id-req            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   5

Nov  1 10:52:37  eap-id-resp           ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   29   host/P-3676.sh.cima.plus

Nov  1 10:52:37  rad-req               ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  10  236

Nov  1 10:52:37  rad-reject            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9/Corpo-Radius-SH  10  44

Nov  1 10:52:37  eap-failure           <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   4    server rejected

Nov  1 10:52:37  station-down           *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:48  station-up             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -    wpa2 aes

Nov  1 10:52:48  m-auth req             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -

Nov  1 10:52:48  m-auth resp            *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -    failed

Nov  1 10:52:48  wpa2-key1             <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   117

Nov  1 10:52:48  eap-start             ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -

Nov  1 10:52:48  eap-id-req            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  2   5

Nov  1 10:52:48  eap-id-resp           ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  2   29   host/P-3676.sh.cima.plus

Nov  1 10:52:48  rad-req               ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  11  236

Nov  1 10:52:48  rad-reject            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1/Corpo-Radius-SH  11  44

Nov  1 10:52:48  eap-failure           <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  2   4    server rejected

Nov  1 10:52:48  station-down           *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b1                  -   -

Nov  1 10:52:58  station-up             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -    wpa2 aes

Nov  1 10:52:58  m-auth req             *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:58  m-auth resp            *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -    failed

Nov  1 10:52:58  wpa2-key1             <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   117

Nov  1 10:52:58  eap-start             ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

Nov  1 10:52:58  eap-id-req            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   5

Nov  1 10:52:58  eap-id-resp           ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   29   host/P-3676.sh.cima.plus

Nov  1 10:52:58  rad-req               ->  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  12  236

Nov  1 10:52:58  rad-reject            <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9/Corpo-Radius-SH  12  44

Nov  1 10:52:58  eap-failure           <-  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  2   4    server rejected

Nov  1 10:52:58  station-down           *  00:23:15:44:71:08  6c:f3:7f:e4:2b:b9                  -   -

 

Before a start to explain how I configure everything, is there someting easy to spot ?

 

Thanks.

Search Airheads
Showing results for 
Search instead for 
Did you mean: