Wireless Access

Reply

[Tutorial] EAP TLS Configuration Guide

Hello everyone i though in making a guide in which will tell you how to configure EAP TLS authentication for your WLAN... i just see manuals but with EAP PEAP but non with EAP TLS(The NPS Part)

 

Anyways

This manual assumes that:

1-You already got an Active directory working

2-You already installed NPS role on a server

3-You already got PKI infraestructure

 

First open your NPS and click on NPS local and on the right side pick radius server for 802.1x and then click on configure 802.1x

EAPTLS1.PNG

 

After that click on secure wireless connection

EAP TLS2.PNG

Enter the new radius client which will be the ip address of your controller, and put a preshare key that it will be used to communicate between the NPS and the radius client(your controller

EAP TLS3.PNG

 

Select microsoft smart card or certificate and click on configure... and inside of it put the certificate that you created for the server(in this case you should have request a certificate from this server using the mmc)

EAP TLS5.PNG

Click next next finish

 

Now here comes the tricky part...

You need to open the Network policy that you just created and go to settings in inside there click add and add a value for framed MTU and put this value in it 1344 like this

EAP TLS6.PNG

 

And well click OK

 

And now you are done the server part.... after this you should be able to use EAP TLS

 

The last part of the Framed MTU is something you need because in some cases, switches, routers or firewalls drop packets because they are configured to discard packets that require fragmentation.  And if you dont configure this it will drop it and you will see it will not work... so just configure it! so that way the EAP payloads maximum size is reduced.

 

If there something that was not clear let me know and ill modify this tutorial.

 

If you want me to add something else maybe how to configure the Clients? how to configure the controller part let me know and i ll add it.   I just considered to show you guys how to configure the NPS part because actually that last part of the framed MTU is the tricky part... people just dont know and  they will think it just doesnt work but well you missing that.

 

Hope it help you all

 

Cheers

Carlos

 

[Mod note: edited subject line for readability]

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Regular Contributor II

Re: [Tutorial] EAP TLS Configuration Guide

This is pretty high level stuff.  Those of us that have never worked with a company PKI/CA server might have some problems when it comes to generating and installing the certificate on the server side.....as well as the client side.

 

I've installed self-signed certs and set up PEAP on 2003.  2008 changed things up a little bit and your guide is very helpful for finding some of the things that I was familiar with, but not sure where they were located.

 

I'll be testing an EAP-TLS, PEAP-TLS solution shortly and would benefit with more details regarding the stuff I mentioned above.  I realize that ClearPass would make my life a whole lot easier, but I don't believe that is an option at this time.

Re: [Tutorial] EAP TLS Configuration Guide

which kind of detail you are looking for?

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: [Tutorial] EAP TLS Configuration Guide

it would be nice to be able to understand how to troubleshoot.

for example, if i have deployed an identity certificate on my laptop, how does the aruba determine that the DN of my certificate should be trusted.   is it just because it was issued by the same CA as the cert on my controller or does it match the CA against the cert on the Radius server?

 

I have a configuration where aruba-user-vlan is being assigned by the NPS server.  this works fine for users but my computer login fails.  I can enable 'enforce machine auth' on the aruba but this results in my dynamic user vlan being ignored.

I have used "terminate" option on the aruba 802.1x config.  This probably works because i have generated a cert for the aruba controller from my NPS CA server.   If i disable "terminate", then I can no longer authenticate with either computer or user.

 

 

 

Guru Elite

Re: [Tutorial] EAP TLS Configuration Guide

With NPS it's based on mutual trust with the certificate you choose in your Connect Request Policy.

 

When you use a policy engine like ClearPass, you can make decisions based off the various attributes embedded in the certificate.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: