Wireless Access

Reply
Contributor II
Posts: 42
Registered: ‎07-14-2010

Instant AP & EAP-TLS certificates

I have a customer who wants to set up their Instant AP's using EAP-TLS, to match the WLAN configuration they use in their head office.  They will be using the Instants with VPN to give roaming users access back to the office.  Kind of like a RAP, but without the RAP licensing.

 

They are using an IAS server for Radius / 802.1x authentication.  

 

My question is, how do I get this working with the Instant APs?  These will be deployed all over the place like RAP's with dynamic addresses.  So we can't create Radius Clients for them in IAS.

 

I know that I can install certificates on the Instant and have EAP terminate on the Instant, but do I need to install a unique certificate on each Instant?   Or can use the same server certificate on each instant?  And what about the subject name, etc. for the certificate? 

Aruba
Posts: 233
Registered: ‎11-19-2009

Re: Instant AP & EAP-TLS certificates

Just to get clarity, when you say Instant with VPN to give remote access back to office means, are we trying to terminate the Instant Access point to do VPN back to the head office controller ? please confirm. If yes, below link should give the procedure to configure it.

 

http://community.arubanetworks.com/t5/Aruba-Instant/What-can-you-terminate-an-IAP-VPN-on/td-p/64756

 

For instant on EAP-TLS, find below link.

 

http://community.arubanetworks.com/t5/Aruba-Instant/IAP-TLS-authentication/td-p/48946

 

Thanks!

 

****************************************************************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************

 

 

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Instant AP & EAP-TLS certificates

[ Edited ]

If you have the PEFV license on the controller, you can alter the default-iap role and source-NAT RADIUS packets out of the controller.  From the perspective of IAS, ALL instant APs and sites would look like auth requests coming from the controller's IP and not the IAP's IP.  

 

This is explained in detail in the Instant User guide which covers both the IAP config as well as the controller config.

 

Config Stub

 

(host) (config) #ip access-list session iaprole
(host) (config-sess-iaprole)#any host <radius-server-ip> any src-nat <--- this line will source NAT ALL RADIUS requests to the IAS server as the Controller IP and NOT the individual IAP IPs.

(host) (config-sess-iaprole)#any any any permit

(host) (config-sess-iaprole)#!
(host) (config) #user-role iaprole
(host) (config-role) #session-acl iaprole

 

You then apply that role to the "default-iap" auth profile found in "Authentication --> L3 Authentication" on the controller

 

(host) (config) #aaa authentication vpn default-iap

(host) (VPN Authentication Profile "default-iap") #default-role iaprole 

 

Screen Shot 2013-07-23 at 2.25.27 PM.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 42
Registered: ‎07-14-2010

Re: Instant AP & EAP-TLS certificates

Seth, thank you, that's exactly what I was looking for.

They don't have PEFV licenses, but I'll work on that.

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Instant AP & EAP-TLS certificates

[ Edited ]

Yeah...so in order to alter the defailt IAP role, you will need the PEF-V.   EDITED>>>

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 42
Registered: ‎07-14-2010

Re: Instant AP & EAP-TLS certificates

Yeah, licensing has been a real pain on this one.  It was sold to the customer with no licenses, because someone thought you don't need any licenses to set up IAP+VPN.  But then it was scoped to me as a RAP installation...

 

so you're saying that with 30 IAP's, all I will need is 1x PEFV and 1xPEFNG ?  Not 30x each?

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Instant AP & EAP-TLS certificates

[ Edited ]

EDITED FROM BEFORE!!!

Couple of things.

 

1. The PEFV license is a box license so think of it as a feature enablement license.  You would only need one.  

2. The PEFNG license does not allow you to alter the default-vpn role that the IAPs are assigned

 

In your situation, you will need 1 PEFV license per controller.  This will allow you to alter the default-vpn role or assign a different role in the controller where the IAPs are assigned when they connect their VPNs.  

 

Technically, you were sold the solution correctly.  You do not need any licenses to terminate the IAPs to a controller.  A controller out of the box will allow you to configure itself as a VPN concentrator for the IAPs.  However, you need to source NAT RADIUS authentication traffic.  Therefore, you will need to create source NAT firewall rules which will require the PEFV license in order to enable that area of the controller's config and feature set.  

 

Hopefully this made some sense!

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 42
Registered: ‎07-14-2010

Re: Instant AP & EAP-TLS certificates

Ok, so in this case the controller is being used exclusively to terminate the IAP VPNs, so all I will need is the PEF-NG license, correct?

Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Instant AP & EAP-TLS certificates

[ Edited ]

No...you will need one PEF-V license in order to accomplish this.  

 

I would get an eval license in place in the meantime so you can accomplish and test this in short order.  

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Contributor II
Posts: 42
Registered: ‎07-14-2010

Re: Instant AP & EAP-TLS certificates

Hmmm... still not working.  I can see the IAP in the controller, and it is assigned to the iaprole, but still not getting through to the Radius server...

Search Airheads
Showing results for 
Search instead for 
Did you mean: