Wireless Access

last person joined: an hour ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Question about the 802.1x certificate

Jump to Best Answer
  • 1.  Question about the 802.1x certificate

    Posted Nov 27, 2011 08:41 PM

    HI,dear

     I have two basal question to ask. since I don't very clear about the certificate.

     

    1.   When the Aruba controller passes 802.1x traffic through to the AAA server,     If the client still want to" use   certificate" , is the certificate  only  depend on  the  radius server ,such as a windows IAS ?

          So in the case, Can I consider that,    I dont need to  import or export any  certificate in Aruba controller  ,  but the  certificate  between wireless clinet-side   and windows IAS should be create ?

     

    2 . If  the  controller  be configured to 'terminate' EAP-PEAP and EAP-TLS  ,  how can I import or export the certificate in the client an in the controller ?

     

     

    Thank you very much !



  • 2.  RE: Question about the 802.1x certificate
    Best Answer

    Posted Nov 27, 2011 09:22 PM

    1.  Certificates, by default are configured on the client and the Radius server.  In that case, you do not need to import any certificates into the Aruba Controller.

     

    2.  If you want to enable termination on the Aruba controller, this is done if you cannot obtain a certificate for the radius server.

    In this case, a certificate is imported into the Aruba Controller.

     

     To see how to import certificates into the Aruba Controller from certificate authorities like Verisign, please see the document here:  http://community.arubanetworks.com/aruba/attachments/aruba/115/6760/1/aruba-certificates.pdf

     



  • 3.  RE: Question about the 802.1x certificate

    Posted Nov 27, 2011 11:00 PM
    THANK YOU !


  • 4.  RE: Question about the 802.1x certificate

    Posted Dec 08, 2011 06:03 PM
    can the controller terminate EAP-TLS with this test cert?
    I am having difficultties creating a server cert using a enterprise ca..
    http://community.arubanetworks.com/t5/Authentication-and-Access/EAP-TLS-Authenication/m-p/19518#M110


  • 5.  RE: Question about the 802.1x certificate

    Posted Dec 08, 2011 06:20 PM
      |   view attached

    Please try the attached from scratch.  Oldie but a goodie.

     

    Attachment(s)

    docx
    EAP-TLS Termination-2.docx   2.10MB 1 version


  • 6.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 09:42 AM

    This looks like what I need..

     

    Just a few questions..

     

    This is using a standalone CA?

     

    the web browser cert is the "user" cert?

     

     



  • 7.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 09:51 AM

    This is an enterprise domain CA.

     

    The browser Cert depends on what you are requesting.  You need to use IE to request it.

     



  • 8.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 09:54 AM
      |   view attached

    I built the CA using this as the format.. I didnt see the same options as the ones in the document you posted.. Is it differnet since i am using server 2008?

     



  • 9.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 09:55 AM

    do you see options to request a certificate?  Are you using internet explorer to request?

     



  • 10.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 09:57 AM

    I saw the options just not all of them.. I am using IE

     

    Ill post screen shots once i get done rebuilding the CA..

     

    I also dont have to go back and approve the CSR from the controller, it is approved automatically.. I then get the screen shot in the 3.jpg. when i try to upload this cert as a PEM format it fails, but as a DEM it works fine..

     

    I am continuing one with the settings and I dont have "Inner EAP-Type - eap-tls" I have

     

    Termination Inner EAP-Type - eap-mschapv2 and eap-gtc



  • 11.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 10:12 AM

    Despite what the instructions I posted said, all you need to do is:

     

    1.  Configure the Radius Server entry on the Aruba Controller

    2.  Run the LAN WLAN Wizard and create a WPA2-AES SSID that points to that Radius server

    3.  On the Radius server, of course create a client entry for the Aruba Controller

    4.  On the Radius server, create a remote access policy that has "Smartcard", instead of PEAP allowing users/devices

    5.  Browse to the certificate server with the client using the http://x.x.x.x/CertSrv and request a client cert.  Install it on that client

    6.  Create a WLAN entry on the client that is WPA2-AES with "SmartCard or Certificate" and allow simple cert selection

    7.  Connect it to the Broadcasted SSID and you should be done.

     

    All the termination stuff and signing is not necessary.  It is for EAP-TLS termination which is an advanced topic.

    AAA test server will not work unless in a remote access policy you are allowing peap, EAP-PEAP which is username and password authentication.  There is no such test for certificate-based authentication.

     

    In a true domain, Step 5 can be eliminated by configuring an autoenrollment group policy so that all clients automatically get certs when they contact the domain.

     

    I hope this even helps.

     



  • 12.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 10:31 AM

     It is for EAP-TLS termination which is an advanced topic.

     



    This is what i need..



  • 13.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 10:53 AM

    Yes, but you should get straightforward TLS working before you can add TLS Termination.

     



  • 14.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 11:03 AM

    I got everything working.. I forgot to go back and change the NPS to cert based instead of PEAP.. Thanks for the help..



  • 15.  RE: Question about the 802.1x certificate

    Posted Dec 09, 2011 11:05 AM

    Glad to hear it!