Wireless Access

 View Only
last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Authentication Survivability in Aruba Central - AOS8

This thread has been viewed 9 times
  • 1.  Authentication Survivability in Aruba Central - AOS8

    Posted Aug 17, 2022 10:39 AM
    Good afternoon,

    I'm currently creating a test environment in Aruba Central. This is based on a group in version AOS8(.10) with AP-505's.
    I've created a WLAN with Security Level 'Enterprise' based on EAP-TLS authentication.

    This all works and authentication happens towards two Clearpass servers that are remote.
    I'm now trying to configure Authentication Survivability, so that laptops that are successfully machine authenticated are cached.
    This cache can then be used for 24h, so that if our remote Clearpass isn't reachable, the laptop can still use the EAP-TLS WLAN.

    Basically, I've enabled Authentication Survivability under the WLAN profile under Security > Advanced Settings. Unfortunately, auth-survivability, this isn't working on my test laptop.

    The way I've tested:
    1. The laptop connects with the Wi-Fi and gets a successful authentication.
    2. The laptop is shown under 'show auth-survivability cached-info' with a remaining cache time of 1 day ahead.
    3. I removed the management VLAN of the Aruba AP on a switch that connects the AP with the internet. This makes sure the AP cant connect with our Clearpass.
    4. The laptop cant connect, because RADIUS times out.

    Am i missing something in my setup? I've read something about adding the certificates of the auth server and the CA, but I'm not sure where or how. Also it's hard to find documentation about this option.

    best regards!


  • 2.  RE: Authentication Survivability in Aruba Central - AOS8

    EMPLOYEE
    Posted Aug 18, 2022 07:35 AM
    Documentation is here. One important thing that you didn't mention was that for EAP-TLS the RADIUS EAP Certificate needs to be uploaded to the IAP otherwise the client will not trust the AP when acting as authentication server. As well you need to have the RootCA that issued your client certificates uploaded, so the IAP can validate the client certificate.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: Authentication Survivability in Aruba Central - AOS8

    Posted Aug 18, 2022 10:34 AM

    I did test with the certificates on the different places, but just to be sure, I've placed them at the following places:

    Under the Group > Devices > Security > Certificate Usage, I've placed the Clearpass cert under Authentication Server and the CA under Certificate Authority.

     

    That didn't help. There is also a 'Clearpass' place to add certificates, but that only accepts my CA and Intermediate.




  • 4.  RE: Authentication Survivability in Aruba Central - AOS8

    EMPLOYEE
    Posted Aug 19, 2022 04:13 AM
    I would upload the ClearPass EAP server certificate (make sure it is fully 'chained' with intermediates) as a Server certificate; then assign that as RADIUS Server -> Server.
    The RootCA that issued the client certificates, upload as Trusted CA, then assign as RADIUS Server -> Trusted CA.

    It should work similar to what is needed for EAP-TLS 'local' authentication; which is shown in this video.

    It won't hurt if you can make the local EAP-TLS work first, before switching on Auth Survivability.

    If that all doesn't work, I would run a packet capture on a client to see which certificates are exchanged. And compare the situation with ClearPass authentication versus the local/survivability situation. This may be hard to analyze, in which case working with your Aruba partner or Aruba support would be the best option.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------