Hello everyone i though in making a guide in which will tell you how to configure EAP TLS authentication for your WLAN... i just see manuals but with EAP PEAP but non with EAP TLS(The NPS Part)
This manual assumes that:
1-You already got an Active directory working
2-You already installed NPS role on a server
3-You already got PKI infraestructure
First open your NPS and click on NPS local and on the right side pick radius server for 802.1x and then click on configure 802.1x
After that click on secure wireless connection
Enter the new radius client which will be the ip address of your controller, and put a preshare key that it will be used to communicate between the NPS and the radius client(your controller
Select microsoft smart card or certificate and click on configure... and inside of it put the certificate that you created for the server(in this case you should have request a certificate from this server using the mmc)
Click next next finish
Now here comes the tricky part...
You need to open the Network policy that you just created and go to settings in inside there click add and add a value for framed MTU and put this value in it 1344 like this
And well click OK
And now you are done the server part.... after this you should be able to use EAP TLS
The last part of the Framed MTU is something you need because in some cases, switches, routers or firewalls drop packets because they are configured to discard packets that require fragmentation. And if you dont configure this it will drop it and you will see it will not work... so just configure it! so that way the EAP payloads maximum size is reduced.
If there something that was not clear let me know and ill modify this tutorial.
If you want me to add something else maybe how to configure the Clients? how to configure the controller part let me know and i ll add it. I just considered to show you guys how to configure the NPS part because actually that last part of the framed MTU is the tricky part... people just dont know and they will think it just doesnt work but well you missing that.
Hope it help you all
[Mod note: edited subject line for readability]
This is pretty high level stuff. Those of us that have never worked with a company PKI/CA server might have some problems when it comes to generating and installing the certificate on the server side.....as well as the client side.
I've installed self-signed certs and set up PEAP on 2003. 2008 changed things up a little bit and your guide is very helpful for finding some of the things that I was familiar with, but not sure where they were located.
I'll be testing an EAP-TLS, PEAP-TLS solution shortly and would benefit with more details regarding the stuff I mentioned above. I realize that ClearPass would make my life a whole lot easier, but I don't believe that is an option at this time.
which kind of detail you are looking for?
it would be nice to be able to understand how to troubleshoot.
for example, if i have deployed an identity certificate on my laptop, how does the aruba determine that the DN of my certificate should be trusted. is it just because it was issued by the same CA as the cert on my controller or does it match the CA against the cert on the Radius server?
I have a configuration where aruba-user-vlan is being assigned by the NPS server. this works fine for users but my computer login fails. I can enable 'enforce machine auth' on the aruba but this results in my dynamic user vlan being ignored.
I have used "terminate" option on the aruba 802.1x config. This probably works because i have generated a cert for the aruba controller from my NPS CA server. If i disable "terminate", then I can no longer authenticate with either computer or user.
With NPS it's based on mutual trust with the certificate you choose in your Connect Request Policy.
When you use a policy engine like ClearPass, you can make decisions based off the various attributes embedded in the certificate.
This article is very interesting
We have a functionning PEAP (MS-CHAPv2) authentification infrastructure with a NPS server
We would like to move to a EAP-LTS authentication method and we already have a valid PKI
Could you send the EAL-TLS configuration on the Aruba controller side ?
The controller configuration for EAP-TLS and EAP-PEAP is identical. It is the client that needs to be configured, along with the Radius Server to make EAP-TLS work.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.