Wireless Access

Reply
New Contributor
Posts: 4
Registered: ‎03-24-2015

password & certificate based authentication

Hi

our client is an enterprise with a pair of 7210 controllers and many AP225 access points. 

they would like to deploy a very secure authentication method to :

 

1- ensure that only clients with installed certificate on their devices can join the network.

2- ensure teh user supplied credentials (username , password) gets authenticated against the active directory.

 

I understood that EAP-TLS supports only certificate based authentication without checking the username , password and other authentication methods which support password authentication does not support mutual certificate authentication.   so I would like to know how the customer can have both User/password AND certificate based authentication for its users.

 

appriciate your replies.

Reza

 

 

Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: password & certificate based authentication

Hi,

your requirement can be fulfilled with dot1x with EAP-TLS, MSCHAP V2.

In this auth process, secure tunnel will be created by using EAP-TLS ( with client and server certificate) and then user credentials will be shared through the secure tunnel with MSCHAP.

 

User should be authenticated with AD or LDAP or some other depends on the server group you have configured and mapped to the AAA profile.

 

Please feel free still if you need more clarity on this.

 

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
New Contributor
Posts: 4
Registered: ‎03-24-2015

Re: password & certificate based authentication

HI Venu

 

thanks for your reply. I would like to do the same. can you help me to understand more:

 

1- do I need to terminate the eap on controller or Radius? 

2- how to configure the controller to use both EAP-TLS and MSCHAPv2 for authentication? 

3- can I use the single Radius (NPS) on windows server 2012?

 

Im running aruba os 6.4

 

Thanks

Reza

 

Guru Elite
Posts: 8,321
Registered: ‎09-08-2010

Re: password

The only way you can currently do this is to use EAP-TLS and then have the user authenticate to a captive portal with their username and password.

The idea with certificate authentication is to eliminate passwords.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: password & certificate based authentication

Hi,

If you don't have a valid server certificate, you have to terminate it on the controller other wise terminate it on the server.

Configuration depends on your termination, if you terminate it on the controller, you have to select outer and inner type as shown in the pic,

 

EAP1.png

 

Else if you terminate on the server, you need to configure it on the server and Client and server will negotiate and use one of the available inner tunnel ( PAP/MSCHAP).

 

If you want server failover you need to configure multiple servers otherwise single server should be ok. you can configure servers and map them to server group and group to AAA profile.

 

Hope you got some clarity, if not feel free to come back.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Guru Elite
Posts: 8,321
Registered: ‎09-08-2010

Re: password

Using EAP-PEAP or EAP-TTLS is not dual factor. Those methods use a certificate he server's identity only. It is not mutual.

Also, you should never have validate server certificate unchecked in a production envinronment.


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎03-24-2015

Re: password & certificate based authentication

HI Venu

 

I dont want to terminate it on the controller, would like to use external windows Radius server. 

in this case how do I need to configure the controller? just to send to Radius server?

what configuration needs to be applied on Server and Client?

 

I have openned a ticket with Aruba also, but they are saying that its not possible. :(

Guru Elite
Posts: 8,321
Registered: ‎09-08-2010

Re: password & certificate based authentication

TAC is correct. This is not possible natively without layering on a captive portal.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor
Posts: 4
Registered: ‎03-24-2015

Re: password & certificate based authentication

Thanks Tim. 

I think its clear. the certificate based and tunneling based EAP are different and cannot get mixed.

 

 

eap.JPG

Valued Contributor II
Posts: 804
Registered: ‎12-01-2014

Re: password & certificate based authentication

Hi,

 

If you don't terminate on the controller, you don't need to configure any thing on the controller because traffic is not visible to the controller (it will pass trough the controller ) that is the primary objective of creating secure tunnel between Client and the controller.

Coming to the config at client and the server side,

Client :

Step 1 :

Open the WL client connection profile and select "Security " tab and select the EAP type as shown in the pic.

EAP_2.png

Step 2 :

Click on settings and select "user Authentication Methods" as "EAP-MSCHAP V2" as shown in the pic

EAP3.png

 

In the server, I have snapshots for IAS, should be same for NPS as well.

Select remote access policy-->edit profile-->Authentication-->EAP methods as shown in the pic.

EAP4.png

Try and let me know if you need any further help on this.

Cheers,
Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]
Search Airheads
Showing results for 
Search instead for 
Did you mean: