Wireless Access

Reply
Occasional Contributor II

Survivability eap-tls

Hi

We have serveral remote locations which have a controller installed. The RADIUS servers are located at HQ office. We are running EAP-TLS on our PCs. When we had a WAN outage all clients drop off the network due to the lost connection to RADIUS. To try to fix this issue, I have enabled auth-Survivability on the controllers. What I have understand so far, is that auth-Survivability works will for PEAP. For EAP-TLS a certificate has to be installed on the controller to be used with auth-Survivability.

Our certificate chain is CA, intermidiate and client certificate.

Which certificate(s) should I use with auth.Survivability ?

 

BR

Vollelv

Guru Elite

Re: Survivability eap-tls

The RADIUS server certificate needs to be installed on the controller along with the rest of the trust chain.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Survivability eap-tls

Thanks for the replay.
Is it possible to export the certificate with the chain from ClearPass ?

 

BR

Vollelv

Guru Elite

Re: Survivability eap-tls

ClearPass will export as key and cert. You can use openssl to convert it to a PFX with chain.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Survivability eap-tls

Thanks again.

I have now uploaded the certificate on the controller and added it to auth-survivalibility.

I have not yet tested that it really works. Am I right that a client can reauthenticate as long hi has a record in the auth-survivaliblity-cache ?

 

We also have a lot of AP clusters were auth-survivaliblity is activated. Should I upload the ClearPass certicicate as an auth server certificate on the master AP ?

 

BR

Vollelv

Guru Elite

Re: Survivability eap-tls

Yes, auth-survivability works for clients who authenticated prior to the loss of connectivity to the RADIUS server.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Survivability eap-tls

Thanks !

Do you know anything about my last question ?

 

We also have a lot of AP clusters were auth-survivaliblity is activated. Should I upload the ClearPass certicicate as an auth server certificate on the master AP ?

 

BR

Vollelv

Occasional Contributor II

Re: Survivability eap-tls

I have run a test today on a EAP-TLS client. The client was not able to reconnect. I have checked that the client was cached on the controller.

BR
Bjørn Vollelv

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: