I have two basal question to ask. since I don't very clear about the certificate.
1. When the Aruba controller passes 802.1x traffic through to the AAA server, If the client still want to" use certificate" , is the certificate only depend on the radius server ,such as a windows IAS ?
So in the case, Can I consider that, I dont need to import or export any certificate in Aruba controller , but the certificate between wireless clinet-side and windows IAS should be create ?
2 . If the controller be configured to 'terminate' EAP-PEAP and EAP-TLS , how can I import or export the certificate in the client an in the controller ?
Thank you very much !
1. Certificates, by default are configured on the client and the Radius server. In that case, you do not need to import any certificates into the Aruba Controller.
2. If you want to enable termination on the Aruba controller, this is done if you cannot obtain a certificate for the radius server.
In this case, a certificate is imported into the Aruba Controller.
To see how to import certificates into the Aruba Controller from certificate authorities like Verisign, please see the document here: http://community.arubanetworks.com/aruba/attachments/aruba/115/6760/1/aruba-certificates.pdf
Please try the attached from scratch. Oldie but a goodie.
This looks like what I need..
Just a few questions..
This is using a standalone CA?
the web browser cert is the "user" cert?
This is an enterprise domain CA.
The browser Cert depends on what you are requesting. You need to use IE to request it.
I built the CA using this as the format.. I didnt see the same options as the ones in the document you posted.. Is it differnet since i am using server 2008?
do you see options to request a certificate? Are you using internet explorer to request?
I saw the options just not all of them.. I am using IE
Ill post screen shots once i get done rebuilding the CA..
I also dont have to go back and approve the CSR from the controller, it is approved automatically.. I then get the screen shot in the 3.jpg. when i try to upload this cert as a PEM format it fails, but as a DEM it works fine..
I am continuing one with the settings and I dont have "Inner EAP-Type - eap-tls" I have
Termination Inner EAP-Type - eap-mschapv2 and eap-gtc
Despite what the instructions I posted said, all you need to do is:
1. Configure the Radius Server entry on the Aruba Controller
2. Run the LAN WLAN Wizard and create a WPA2-AES SSID that points to that Radius server
3. On the Radius server, of course create a client entry for the Aruba Controller
4. On the Radius server, create a remote access policy that has "Smartcard", instead of PEAP allowing users/devices
5. Browse to the certificate server with the client using the http://x.x.x.x/CertSrv and request a client cert. Install it on that client
6. Create a WLAN entry on the client that is WPA2-AES with "SmartCard or Certificate" and allow simple cert selection
7. Connect it to the Broadcasted SSID and you should be done.
All the termination stuff and signing is not necessary. It is for EAP-TLS termination which is an advanced topic.
AAA test server will not work unless in a remote access policy you are allowing peap, EAP-PEAP which is username and password authentication. There is no such test for certificate-based authentication.
In a true domain, Step 5 can be eliminated by configuring an autoenrollment group policy so that all clients automatically get certs when they contact the domain.
I hope this even helps.
It is for EAP-TLS termination which is an advanced topic.
This is what i need..
Yes, but you should get straightforward TLS working before you can add TLS Termination.
I got everything working.. I forgot to go back and change the NPS to cert based instead of PEAP.. Thanks for the help..
Glad to hear it!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.