Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

[Tutorial] EAP TLS Configuration Guide

  • 1.  [Tutorial] EAP TLS Configuration Guide

    Posted May 30, 2013 12:48 AM

    Hello everyone i though in making a guide in which will tell you how to configure EAP TLS authentication for your WLAN... i just see manuals but with EAP PEAP but non with EAP TLS(The NPS Part)

     

    Anyways

    This manual assumes that:

    1-You already got an Active directory working

    2-You already installed NPS role on a server

    3-You already got PKI infraestructure

     

    First open your NPS and click on NPS local and on the right side pick radius server for 802.1x and then click on configure 802.1x

    EAPTLS1.PNG

     

    After that click on secure wireless connection

    EAP TLS2.PNG

    Enter the new radius client which will be the ip address of your controller, and put a preshare key that it will be used to communicate between the NPS and the radius client(your controller

    EAP TLS3.PNG

     

    Select microsoft smart card or certificate and click on configure... and inside of it put the certificate that you created for the server(in this case you should have request a certificate from this server using the mmc)

    EAP TLS5.PNG

    Click next next finish

     

    Now here comes the tricky part...

    You need to open the Network policy that you just created and go to settings in inside there click add and add a value for framed MTU and put this value in it 1344 like this

    EAP TLS6.PNG

     

    And well click OK

     

    And now you are done the server part.... after this you should be able to use EAP TLS

     

    The last part of the Framed MTU is something you need because in some cases, switches, routers or firewalls drop packets because they are configured to discard packets that require fragmentation.  And if you dont configure this it will drop it and you will see it will not work... so just configure it! so that way the EAP payloads maximum size is reduced.

     

    If there something that was not clear let me know and ill modify this tutorial.

     

    If you want me to add something else maybe how to configure the Clients? how to configure the controller part let me know and i ll add it.   I just considered to show you guys how to configure the NPS part because actually that last part of the framed MTU is the tricky part... people just dont know and  they will think it just doesnt work but well you missing that.

     

    Hope it help you all

     

    Cheers

    Carlos

     

    [Mod note: edited subject line for readability]



  • 2.  RE: [Tutorial] EAP TLS Configuration Guide

    Posted Jun 09, 2014 01:40 PM

    This is pretty high level stuff.  Those of us that have never worked with a company PKI/CA server might have some problems when it comes to generating and installing the certificate on the server side.....as well as the client side.

     

    I've installed self-signed certs and set up PEAP on 2003.  2008 changed things up a little bit and your guide is very helpful for finding some of the things that I was familiar with, but not sure where they were located.

     

    I'll be testing an EAP-TLS, PEAP-TLS solution shortly and would benefit with more details regarding the stuff I mentioned above.  I realize that ClearPass would make my life a whole lot easier, but I don't believe that is an option at this time.



  • 3.  RE: [Tutorial] EAP TLS Configuration Guide

    Posted Jun 09, 2014 02:00 PM

    which kind of detail you are looking for?

     

    Cheers

    Carlos



  • 4.  RE: [Tutorial] EAP TLS Configuration Guide

    Posted Nov 21, 2014 07:15 AM

    it would be nice to be able to understand how to troubleshoot.

    for example, if i have deployed an identity certificate on my laptop, how does the aruba determine that the DN of my certificate should be trusted.   is it just because it was issued by the same CA as the cert on my controller or does it match the CA against the cert on the Radius server?

     

    I have a configuration where aruba-user-vlan is being assigned by the NPS server.  this works fine for users but my computer login fails.  I can enable 'enforce machine auth' on the aruba but this results in my dynamic user vlan being ignored.

    I have used "terminate" option on the aruba 802.1x config.  This probably works because i have generated a cert for the aruba controller from my NPS CA server.   If i disable "terminate", then I can no longer authenticate with either computer or user.

     

     

     



  • 5.  RE: [Tutorial] EAP TLS Configuration Guide

    Posted Nov 21, 2014 07:52 AM

    With NPS it's based on mutual trust with the certificate you choose in your Connect Request Policy.

     

    When you use a policy engine like ClearPass, you can make decisions based off the various attributes embedded in the certificate.



  • 6.  RE: [Tutorial] EAP TLS Configuration Guide

    Posted Jan 31, 2018 04:56 AM

    Hello,

     

    This article is very interesting


    We have a functionning PEAP (MS-CHAPv2) authentification infrastructure with a NPS server

     

    We would like to move to a EAP-LTS authentication method and we already have a valid PKI

     

    Could you send the EAL-TLS configuration on the Aruba controller side ?

     



  • 7.  RE: [Tutorial] EAP TLS Configuration Guide

    Posted Jan 31, 2018 05:00 AM

    The controller configuration for EAP-TLS and EAP-PEAP is identical.  It is the client that needs to be configured, along with the Radius Server to make EAP-TLS work.