Wireless Access

last person joined: 7 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Survivability eap-tls

  • 1.  Survivability eap-tls

    Posted Jul 11, 2016 02:45 AM

    Hi

    We have serveral remote locations which have a controller installed. The RADIUS servers are located at HQ office. We are running EAP-TLS on our PCs. When we had a WAN outage all clients drop off the network due to the lost connection to RADIUS. To try to fix this issue, I have enabled auth-Survivability on the controllers. What I have understand so far, is that auth-Survivability works will for PEAP. For EAP-TLS a certificate has to be installed on the controller to be used with auth-Survivability.

    Our certificate chain is CA, intermidiate and client certificate.

    Which certificate(s) should I use with auth.Survivability ?

     

    BR

    Vollelv



  • 2.  RE: Survivability eap-tls

    Posted Jul 11, 2016 02:46 AM
    The RADIUS server certificate needs to be installed on the controller along with the rest of the trust chain.


  • 3.  RE: Survivability eap-tls

    Posted Jul 11, 2016 02:51 AM

    Thanks for the replay.
    Is it possible to export the certificate with the chain from ClearPass ?

     

    BR

    Vollelv



  • 4.  RE: Survivability eap-tls

    Posted Jul 11, 2016 03:02 AM
    ClearPass will export as key and cert. You can use openssl to convert it to a PFX with chain.


  • 5.  RE: Survivability eap-tls

    Posted Jul 11, 2016 04:07 AM

    Thanks again.

    I have now uploaded the certificate on the controller and added it to auth-survivalibility.

    I have not yet tested that it really works. Am I right that a client can reauthenticate as long hi has a record in the auth-survivaliblity-cache ?

     

    We also have a lot of AP clusters were auth-survivaliblity is activated. Should I upload the ClearPass certicicate as an auth server certificate on the master AP ?

     

    BR

    Vollelv



  • 6.  RE: Survivability eap-tls

    Posted Jul 11, 2016 12:39 PM

    Yes, auth-survivability works for clients who authenticated prior to the loss of connectivity to the RADIUS server.



  • 7.  RE: Survivability eap-tls

    Posted Jul 12, 2016 01:16 AM

    Thanks !

    Do you know anything about my last question ?

     

    We also have a lot of AP clusters were auth-survivaliblity is activated. Should I upload the ClearPass certicicate as an auth server certificate on the master AP ?

     

    BR

    Vollelv



  • 8.  RE: Survivability eap-tls

    Posted Jul 19, 2016 10:37 AM

    I have run a test today on a EAP-TLS client. The client was not able to reconnect. I have checked that the client was cached on the controller.

    BR
    Bjørn Vollelv