Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Multiple controller certificates for 802.1X

This thread has been viewed 2 times

  • 1.  Multiple controller certificates for 802.1X

    Posted Jan 10, 2012 03:43 AM

    Hi,

     

    i need to configure two different controller certificates for different SSIDs.

     

    In order to achieve this i configured two 802.1X profiles with termination on the controller (unfortunately one of the RADIUS server is not under our control, so we need to do it this way). It seems obvious to configure both certificates in the advanced configuration tab with "server-certificate" (or via CLI) in the 802.1X profile.

     

    Doing so leads to very unexpected behaviour since the controller prompts the wireless clients for client certificates. But in this same profile PEAP/MSCHAPv2 is configured. When configuring no server certificate we see the built-in securelogin.arubanetworks certificate. Changing the CA certifcates in the same 802.1X profile has no effect whatsoever.

     

    So, simple question: how can i have two controller certs displayed to the clients depending on the SSID?

     

    Best regards,

    Andreas



  • 2.  RE: Multiple controller certificates for 802.1X

    EMPLOYEE
    Posted Jan 10, 2012 05:41 AM

    The 802.1x profile in the AAA profile has a Server-Certificate parameter.  When you upload a server certificate for EAP-Termination, each certificate appears in that dropdown.  To use two different Server Certificates, each 802.1x WLAN you create will require a different AAA profile, and a different 802.1x profile, each with a different Server Certificate in the dropdown.

     

    Does that answer your question?



  • 3.  RE: Multiple controller certificates for 802.1X

    Posted Jan 10, 2012 05:48 AM

    Hi,

     

    yes, that's exactly what i tried to do.

     

    I do have the drop down box with both certificates available. But after chosing one we cannot authenticate anymore using username/password. I get prompted by the Windows 7 wireless client to use client certificates.

     

    Best regards,

    Andreas Goerlach



  • 4.  RE: Multiple controller certificates for 802.1X

    EMPLOYEE
    Posted Jan 10, 2012 05:52 AM
    @AndreasG wrote:

    Hi,

     

    yes, that's exactly what i tried to do.

     

    I do have the drop down box with both certificates available. But after chosing one we cannot authenticate anymore using username/password. I get prompted by the Windows 7 wireless client to use client certificates.

     

    Best regards,

    Andreas Goerlach

    I apologize.  You said you already did that.  



  • 5.  RE: Multiple controller certificates for 802.1X

    Posted Feb 20, 2013 06:05 PM

    Has this problem been answered yet? I just ran into this issue.  I created a new SSID with a new aaa profile, and a new dot1x profile using a different server cert.  And all my old SSIDs started using the new cert.  When I went into the dot1x profile of my old SSID and told it to use the new cert, saved it, and then told it to use the old cert, and saved it, the old SSID went back to using the old cert. However, my new SSId was now using the old cert, despite still being configured in the dot1x profile for the new cert.