Controllerless Networks

 View Only
Back to discussions
Expand all | Collapse all

IAP515 Home Broadband Connection

This thread has been viewed 50 times

  • 1.  IAP515 Home Broadband Connection

    Posted Nov 30, 2020 04:27 AM
    Hi

    We are potentially looking to use the external Clearpass interface for all radius authentications for our Office IAP's. To test this i have a IAP515 connected to a home broadband router and Aruba Central has detected and connected to it. We hsve deployed our Azure OAuth SSID but i am not seeing any Radius attempts coming from this IAP hitting our CPPM external interface. Is they anything specific that i am missing in the setup to get this working from a home broadband setup?

    ------------------------------
    Jeremy Smith
    ------------------------------


  • 2.  RE: IAP515 Home Broadband Connection

    Posted Dec 01, 2020 04:41 AM
    How is the RADIUS traffic supposed to reach your Clearpass server? It is not recommended to send that (unencrypted) over the internet but rather set up a VPN or use another connection that allows secure connectivity without NAT.

    How did you conclude that the traffic is not reaching the ClearPass? Did you capture the traffic?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------

    Original Message


  • 3.  RE: IAP515 Home Broadband Connection

    Posted Dec 01, 2020 04:50 AM
    Sorry, forgot to add that we are using radsec for the communication over the internet to clearpass but having lots of issues with certificates and CA. We see the radsec comms but getting:
    TLS connection couldn't connect for *.*.*.*: Errors: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca

    ------------------------------
    Jeremy Smith
    ------------------------------

    Original Message


  • 4.  RE: IAP515 Home Broadband Connection

    Posted Dec 01, 2020 04:58 AM
    What type of certificates have you installed for Radsec on the ClearPass and IAP (like sourced from which CA)? Have you enabled the root (and intermediates) that issued the IAP Radsec certificate to the Trust list on ClearPass and enabled for Radsec? Does the IAP trust the ClearPass Radsec certificate?

    Message says that the root is not trusted, it's not fully clear where you collected that log and if it is the IAP not trusting ClearPass or vice-versa.

    For Radsec, having the certificates right is critical to make it work. That is also why it is typically not common to have Radsec deployed internally.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------

    Original Message


  • 5.  RE: IAP515 Home Broadband Connection

    Posted Dec 02, 2020 04:05 AM
    Hi Herman

    I am trying to use the same cert that i am using for https which is a Sectigo wildcard cert. I have exported and imported for radsec in clearpass and the intermediate and root is already trusted. I then imported this as a CA in Central. Would i need to get a new client cert for the VC to use for radsec?

    Thanks

    ------------------------------
    Jeremy Smith
    ------------------------------

    Original Message


  • 6.  RE: IAP515 Home Broadband Connection

    Posted Dec 02, 2020 04:26 AM
    For Radsec you need to have a certificate on the AP/VC/controller as well for Radsec and that certificate should be trusted by ClearPass (root and intermediates should be in Trust List and enabled for RadSec). You can use a public certificate, I did not try a wildcard for Radsec on the client side, but more common is to get a certificate from a private CA, like AD Certificate services or ClearPass Onboard should work as well.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------

    Original Message


  • 7.  RE: IAP515 Home Broadband Connection

    Posted Dec 04, 2020 10:06 AM
    I just built RadSec in my lab, and you don't absolutely need a certificate on the IAP, you can also use the factory certificate which is in the TPM of the AP as the client certificate (and if you imported one already you can remove it with the command 'clear-cert radsec' on the CLI).

    Also during the testing got the same message: TLS connection couldn't connect for 192.168.33.160: Errors: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca; at which point I did not have the Root CA for the client cert that the IAP is using enabled for Radsec in the Trust List.

    For the AP hardware certificate, that is CN=Aruba Networks Trusted Computing Root CA 1.0,C=US,O=Aruba Networks,OU=Operations,OU=DeviceTrust; and it needs to be enabled for the Usage type RadSec.

    I tested as well with a Client certificate issued by the Onboard module. If you deployed your own client certificate, the Root CA for that needs to be enabled for RadSec.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
    ------------------------------

    Original Message


  • 8.  RE: IAP515 Home Broadband Connection

    Posted Dec 04, 2020 10:16 AM
    Yes, that is exactly what i found in my packet captures. Enabled the Aruba CA and is started to work. I also found that even with dynamic radius enabled it was still using the private address of the AP instead of the public so i had to manually added the public ip as the NAS IP Address within the authentication server config in Aruba Central. Now all is working fine.

    Thanks for you help

    ------------------------------
    Jeremy Smith
    ------------------------------

    Original Message


  • 9.  RE: IAP515 Home Broadband Connection

    Posted Mar 03, 2025 02:30 PM

    Hi @Herman Robers, how did you get this to work without uploading a RadSec server cert to Clearpass? 

    I am leveraging the APs TPM cert in central (default RadSec client cert), enabled the relevant Aruba Root CAs but tunnel will not come up since I am getting an Unknown CA error even though the proper CA is enabled

    If I upload my own RadSec server Cert in CPPM and then upload the relevant Root CA to match, it comes up but I want to use the default because if I do this, Cloud Guest/Auth breaks. 



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------

    Original Message


  • 10.  RE: IAP515 Home Broadband Connection

    Posted Mar 04, 2025 02:14 AM

    I think not all equipment supports multiple RadSec root CAs in the same device. Seems like you try to use Cloud Auth and CPPM at the same time, which would require different root CAs. In most cases people have either RadSec to CPPM or to Cloud Auth.

    Please check with TAC if they know if it may be possible and I don't know.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 11.  RE: IAP515 Home Broadband Connection

    Posted Mar 04, 2025 10:40 AM

    Right now IAP and AOS 10 APs only directly support one RadSec option, either Cloud Auth/Guest or other.  This limitation is being looked at.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 12.  RE: IAP515 Home Broadband Connection

    Posted Mar 04, 2025 01:39 PM

    I created a feature request to track this because I do have a need for this for a customer of ours and I can see deploying this type of scenario more and more. 

    WLAN-I-2103



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------

    Original Message


  • 13.  RE: IAP515 Home Broadband Connection

    Posted Mar 04, 2025 01:56 PM

    Pretty much a guarantee that the ask already exists (aka, "issue is already being looked at").  I would highly recommend you reach out to your channel contact on this subject for further information.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


  • 14.  RE: IAP515 Home Broadband Connection

    Posted Mar 04, 2025 02:58 PM

    yup - already done 



    ------------------------------
    Aruba Partner Ambassador ACMP, ACDP, ACCP, ACEP
    ------------------------------

    Original Message


Related Content