Wireless Access

Reply
Occasional Contributor II

PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

Community,

I am having great difficulty in getting the certificates to work between my Aruba WLC and my Windows RADIUS server. I dont know if this is an issue with my internal Cert server or what but here is what I did.

 

1) On the WLC I went to Certificates and generated a CSR

2) Copied the RSA has starting with -----BEGIN CERTIFICATE REQUEST----- and ending with -----END CERTIFICATE REQUEST-----

3) I went to my internal Windows Cert server and submitted the CSR to it to generate the certificate. The cert server didnt seem to have an issue creating the cert.

4) I uploaded the signed cert from my machine to the WLC using the PEM cert format and the "server cert" certificate type. I also uploaded the root certificate as "TrustedCA" cert

5) I imported the cert into the Personal Certificate folder of my RADIUS server.

6) In the PEAP settings in the RADIUS server I used the dropdown and selected the new cert to be used for that RADIUS Network Policy

 

When I try to connect to the 802.1x WLAN I have set up, it wont connect and in the Event Viewer of the Windows server it says: "The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure."

 

I understand this isnt a Microsoft forum but was hoping maybe somebody has ran into this before. Im at a complete loss here. Im pretty sure the Radius policies are se up correctly and i do have the WLC entered into the Radius server as an approved NAS, the passwords are correct etc. 

 

Any thoughts? Im willing to answer as many questions as needed about my environment to get this resolved. Thanks.

Guru Elite

Re: PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

The certificate is only used on the RADIUS server. In your case, you did the CSR on the controller, so the private key only exists on the controller.

 

You need to do the CSR on the RADIUS server and then install the certificate. The controller is not involved.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

Tim,

 

Thank you for such a quick response! That makes complete sense as in PEAP only the RADIUS server needs to present the certificate. In this case im assuming the WLC is validating the certificate on the clients behalf? 

Guru Elite

Re: PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

No, the controller is EAP agnostic and simply passes it to the RADIUS server. The trust is between the client and RADIUS server (and also the TLS tunnel).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

Tim,

 

So in the PEAP scenario, do you see any reason to enter a cert in the WLC under 

Authentication>L2 Authentication>802.1x Authentication>Advanced>Server Certificate ?

For some reason I was under the impression that this was necessary. I did upload the RootCA cert just fine and have selected it in the CA-Certificate drop down under the "L2 Authentication" Advanced tab. 

 

Thanks.

Guru Elite

Re: PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

No. That's only when using EAP termination which is not recommended if you have a RADIUS server.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

Tim,

 

Thanks so much for your help. I took you advice, i went ahead and generated a cert request on my new RADIUS from the "Personal" folder in the Cert MMC and then selected that Cert under my PEAP profile. It Works! I was able to connect to the 802.1x WLAN using the cert! Thanks again! 

New Contributor

Re: PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

Hi there, im facing the same issue where the 802.1x is working fine when its EAP termantion happening in the controller and its not working with my windows radius NPS . wild card certificate is installed on both controllers and nps when i change the termination to windows server it shows negoation faild, negotiation failed no available eap methods , is there any proper document for integration aruba controller with windows radius . i have check alot of articles and i follow but still the authentication is not happening 

Guru Elite

Re: PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

Yes, there is:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

 

Also, don't use wildcard certificates for PEAP.  



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: PEAP Certificate assistance between 3200 Aruba WLC and Windows NPM

When terminating EAP at the Micorsoft NPS, make sure that the cert youre using is trusted by the client. When using PEAP, only the server certficate is verified, the client does not need to present a cert. At a minimum, the client must trust the CA who signed the cert that the Microsoft NPS is using. meaning, that the cert the NPS is presenting to the client must be signed by a CA that is in the clients Trusted Cert Store. When terminating EAP at the NPS there is no need to upload any certs at all to the Controller as the Controller is now acting as a NAS (or Authenticator) instead of an Authentication Server. 

 

HTH.

 

Chris Craddock.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: