Wireless Access

Hello all,

I am setting a new set of controllers for a customer and have questions regarding certificates. I was reading over this thread ( http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Server-Certificate-on-Controller/td-p/112483 )  for some help, and I think I get the jist of what I need to do, but I am still unclear since this is a multi-controller environment and this is the first time I'm doing something like this.

In this particular environment, we currently have two redundant masters and two redundant locals (more locals to be added down the road). What options do we have as far as certificates go? It is important to my customer that we are validating the server certificate when the user joins the network (we are using PEAP).

I want to make sure I go back to my customer armed with the correct knowledge and understanding of this. As far as I understand, these are the options that I have. Please let me know if there is another way to do this, and also please correct me if I am saying anything that is incorrect as I still do not have a full grasp on the way certificates work. 

1) Load a unique certificate on each controller, and a unique DNS record for each controller

2) Use a single certificate on multiple controllers, and add each controller's IP address to the same DNS record

3) Load a wildcard certificate on the controllers (*.securelogin.example.com), and resolve each controller's ip address uniquely in DNS (controller1.securelogin.example.com, controller2.securelogin.example.com, etc.)

Are all of these options correct, feasible, and supported? Is there another way? Did I screw any of these details up?

Also, how do we work in the fact that we want the masters to resolve as aruba-master.example.com? Should we just point the DNS record to the VRRP address, and and still have the controller IP addresses as securelogin.example.com?

We are running 6.3.1.3.

Thanks so much,

Tim

1.  For PEAP, only the Radius Server needs a certificate, not the controller.  Managing a certificate for each controller for 802.1x when you can  alternatively manage a single certificate for each radius server is a mistake.

2.  For Captive Portal, if you don't want your guest or company users to have an untrusted error every time they hit the captive portal you will need a public certificate that all your users will trust.  That could either involve (1) A  different certificate for each controller with the subject being the fqdn of each controller or (2) a single, identical certificate that has the SAN or Subject ALT Name filled out with the FQDN of each controller listed in the SAN field (https://www.digicert.com/subject-alternative-name.htm)

Here is an example of a cert with multiple fqdns in the Subject Alternative Name field below:  Of course, you will have to pay for each SAN that you have added to the certificate.  If you will have an environment where you have a VRRP and that is the ip address that the clients will be redirected to, you should make the SAN point to the VRRP.

A document on certificates that is specifically geared toward ClearPass, instead of controllers is here:  Certificates 101 V1.0  It speaks to certificates on ClearPass, but the concepts are the same...

Thanks for the response, it is certainly helpful. However, perhaps I should add that this particular company is using EAP termination on the controller. Does this change your response at all for #1?

Tim

Yes it does.

The big question is:  Why are they doing EAP termination?  Are they connecting all of their controllers to an LDAP server?

It appears from their old controller's configuration that they are just sending the credentials to a RADIUS server anyway even though they terminate EAP on the controller. Why they do it like that I do not yet know, so I'll update once I find out. I know they are using Microsoft IAS as their RADIUS server; certainly we don't need EAP termination for that, or do we?

They do NOT need Termination if they are using a Microsoft Radius Server.  They only need a Server certificate on the IAS server that is issued by their Domain Enterprise CA and disable termination.  Another reason to NOT do Termination, is that machine authentication does not work with termination enabled pointing to a MSFT Radius server.  That means (1) Sometimes no login script (2)New users cannot login to a laptop wirelessly if they did not log into it wired...

Thanks for the information so far cjoseph.

In regards to captive portal, you suggested either a unique cert for each controller, or a single cert that has every fqdn of every controller as a SAN. I don't think the latter is feasible since we don't know every controller name right now (they are planning to scale this deployment as they phase out their existing wireless infrastructure).

Shouldn't it be possible to just follow the suggestion listed here to accomplish the same thing?

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Multi-controller-captive-portal-SSL-certificate/td-p/22966

You can certainly upload the same certificate to all of your controllers with that method, (not sure if you are outside the CA's TOS) but the big question is how will each controller resolve to the same FQDN.  You might want to add a post to that thread to find out what steps were done in that regard.  (a.k.a. I don't recommend anything that I have not done personally)

Hi everyone.

Which is the procedure for the same certificate import in multiple controllers?

Thanks