Wireless Access

 View Only
Expand all | Collapse all

Instant AP & EAP-TLS certificates

This thread has been viewed 14 times
  • 1.  Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 01:38 PM

    I have a customer who wants to set up their Instant AP's using EAP-TLS, to match the WLAN configuration they use in their head office.  They will be using the Instants with VPN to give roaming users access back to the office.  Kind of like a RAP, but without the RAP licensing.

     

    They are using an IAS server for Radius / 802.1x authentication.  

     

    My question is, how do I get this working with the Instant APs?  These will be deployed all over the place like RAP's with dynamic addresses.  So we can't create Radius Clients for them in IAS.

     

    I know that I can install certificates on the Instant and have EAP terminate on the Instant, but do I need to install a unique certificate on each Instant?   Or can use the same server certificate on each instant?  And what about the subject name, etc. for the certificate? 



  • 2.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 02:18 PM

    Just to get clarity, when you say Instant with VPN to give remote access back to office means, are we trying to terminate the Instant Access point to do VPN back to the head office controller ? please confirm. If yes, below link should give the procedure to configure it.

     

    http://community.arubanetworks.com/t5/Aruba-Instant/What-can-you-terminate-an-IAP-VPN-on/td-p/64756

     

    For instant on EAP-TLS, find below link.

     

    http://community.arubanetworks.com/t5/Aruba-Instant/IAP-TLS-authentication/td-p/48946

     

    Thanks!

     

    ****************************************************************************
    Aruba Airheads - Powered By community for empower the community
    ************ Don't Forget to Kudos + me,If i helped you******************

     

     



  • 3.  RE: Instant AP & EAP-TLS certificates
    Best Answer

    Posted Jul 23, 2013 02:26 PM

    If you have the PEFV license on the controller, you can alter the default-iap role and source-NAT RADIUS packets out of the controller.  From the perspective of IAS, ALL instant APs and sites would look like auth requests coming from the controller's IP and not the IAP's IP.  

     

    This is explained in detail in the Instant User guide which covers both the IAP config as well as the controller config.

     

    Config Stub

     

    (host) (config) #ip access-list session iaprole
    (host) (config-sess-iaprole)#any host <radius-server-ip> any src-nat <--- this line will source NAT ALL RADIUS requests to the IAS server as the Controller IP and NOT the individual IAP IPs.

    (host) (config-sess-iaprole)#any any any permit

    (host) (config-sess-iaprole)#!
    (host) (config) #user-role iaprole
    (host) (config-role) #session-acl iaprole

     

    You then apply that role to the "default-iap" auth profile found in "Authentication --> L3 Authentication" on the controller

     

    (host) (config) #aaa authentication vpn default-iap

    (host) (VPN Authentication Profile "default-iap") #default-role iaprole 

     

    Screen Shot 2013-07-23 at 2.25.27 PM.png



  • 4.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 02:53 PM

    Seth, thank you, that's exactly what I was looking for.

    They don't have PEFV licenses, but I'll work on that.



  • 5.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 02:57 PM

    Yeah...so in order to alter the defailt IAP role, you will need the PEF-V.   EDITED>>>



  • 6.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 03:00 PM

    Yeah, licensing has been a real pain on this one.  It was sold to the customer with no licenses, because someone thought you don't need any licenses to set up IAP+VPN.  But then it was scoped to me as a RAP installation...

     

    so you're saying that with 30 IAP's, all I will need is 1x PEFV and 1xPEFNG ?  Not 30x each?



  • 7.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 03:10 PM

    EDITED FROM BEFORE!!!

    Couple of things.

     

    1. The PEFV license is a box license so think of it as a feature enablement license.  You would only need one.  

    2. The PEFNG license does not allow you to alter the default-vpn role that the IAPs are assigned

     

    In your situation, you will need 1 PEFV license per controller.  This will allow you to alter the default-vpn role or assign a different role in the controller where the IAPs are assigned when they connect their VPNs.  

     

    Technically, you were sold the solution correctly.  You do not need any licenses to terminate the IAPs to a controller.  A controller out of the box will allow you to configure itself as a VPN concentrator for the IAPs.  However, you need to source NAT RADIUS authentication traffic.  Therefore, you will need to create source NAT firewall rules which will require the PEFV license in order to enable that area of the controller's config and feature set.  

     

    Hopefully this made some sense!



  • 8.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 03:13 PM

    Ok, so in this case the controller is being used exclusively to terminate the IAP VPNs, so all I will need is the PEF-NG license, correct?



  • 9.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 03:15 PM

    No...you will need one PEF-V license in order to accomplish this.  

     

    I would get an eval license in place in the meantime so you can accomplish and test this in short order.  



  • 10.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 04:22 PM

    Hmmm... still not working.  I can see the IAP in the controller, and it is assigned to the iaprole, but still not getting through to the Radius server...



  • 11.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 04:27 PM

    You should start looking at the IAP config in the VPN settings.  Do you have Dynamic RADIUS proxy enabled in the admin screen?



  • 12.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 04:35 PM

    Yes, dynamic radius proxy is set.

     

    Also, VPN settings are pretty straightforward - IPSec, and routing is set to use the controller IP as the default gateway.

    The SSID VLAN is set to "statically assigned' and points to the client vlan 13, which is configured on the controller.

    I have a L2,Centralized DHCP scope set up, for VLAN13.  Enabled DHCP relay in that, pointing to their DHCP server IP.

     

     



  • 13.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 23, 2013 04:44 PM

    Any chance you can post the configs from both IAP and controller?  If you strip down the SSID to a PSK or open, does the VPn tunnel to HQ work?

     

    Also, the output of "show iap table long"



  • 14.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 24, 2013 08:14 AM

    To anyone reading this thread - I made some corrections in my licensing requirements for this scenario.  I had previously wrote that the PEFNG license would work for this situation.  However, I incorrectly stated that.  You require PEF-V license for anything related to changing the roles or policies for the IAPs.

     

    NOTE:  In most situations, using the VPN functionality with IAPs will not require ANY licenses.  



  • 15.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 24, 2013 08:55 AM

    Even when using open authentication, I still can't get into the corporate VLAN's.  So that's likely where the problem is.  Now I just need to find out why.  

    More info:  When connecting to the CorpNet-test WLAN, users should be placed into VLAN 13 which exists on their LAN.  The controller is configured for VLAN 13, and this works when using a RAP. 

     

    (Aruba3200) #show iap table long
    ^
    % Invalid input detected at '^' marker.

    (Aruba3200) #show iap table

    Branch Key Index Status Inner IP MAC Address Subnet
    ---------- ----- ------ -------- ----------- ------
    e08b7d4501281ae829dbae1edb29b03d8bac95cde9c74dd06a 1 UP 172.17.2.3 00:0b:86:8d:fd:ca
    7239dace01c6309af9eb7c81b8670a22f41b74651160d5a5a1 0 DOWN 0.0.0.0 00:0b:86:83:4a:4f

     

    The IAP config:

    --------------------

    version 6.2.1.0-3.3.0
    virtual-controller-country CA
    virtual-controller-key *
    name corp-Instant
    terminal-access
    clock timezone none 00 00
    rf-band all
    dynamic-radius-proxy

    allow-new-aps
    allowed-ap 00:0b:86:8d:fd:ca

    routing-profile
    route 10.10.0.0 255.255.0.0 10.10.0.230
    route 10.14.0.0 255.255.0.0 10.10.0.230
    route 10.13.0.0 255.255.0.0 10.10.0.230
    route 10.12.0.0 255.255.254.0 10.10.0.230


    arm
    wide-bands 5ghz
    min-tx-power 18
    max-tx-power 127
    band-steering-mode prefer-5ghz
    air-time-fairness-mode fair-access
    client-aware
    scanning

    syslog-level warn ap-debug
    syslog-level warn network
    syslog-level warn security
    syslog-level warn system
    syslog-level warn user
    syslog-level warn user-debug
    syslog-level warn wireless

     

    vpn primary 207.164.26.155

    mgmt-user admin *

    wlan access-rule basic
    rule any any match any any any permit

    wlan access-rule corpNet-test
    rule any any match any any any permit

    wlan access-rule default_dev_rule
    rule any any match any any any permit

    wlan access-rule default_wired_port_profile
    rule any any match any any any permit

    wlan access-rule wired-instant
    rule 192.168.220.149 255.255.255.255 match tcp 80 80 permit
    rule 192.168.220.149 255.255.255.255 match tcp 4343 4343 permit
    rule any any match udp 67 68 permit
    rule any any match udp 53 53 permit

    wlan ssid-profile basic
    enable
    index 0
    type employee
    essid basic
    wpa-passphrase *
    opmode wpa2-psk-aes
    max-authentication-failures 0
    vlan guest
    rf-band all
    captive-portal disable
    dtim-period 1
    inactivity-timeout 1000
    broadcast-filter none
    blacklist
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64

    wlan ssid-profile corpNet-test
    enable
    index 1
    type employee
    essid corpNet-test
    opmode wpa2-aes
    max-authentication-failures 0
    vlan 13
    auth-server corp-Radius
    rf-band all
    captive-portal disable
    dtim-period 1
    inactivity-timeout 1000
    broadcast-filter none
    blacklist
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64

    auth-survivability cache-time-out 24

     

    wlan auth-server corp-Radius
    ip 10.10.0.103
    port 1812
    acctport 1813
    key *

    wlan external-captive-portal
    server localhost
    port 80
    url "/"
    auth-text "Authenticated"


    blacklist-time 3600
    auth-failure-blacklist-time 3600

    ids
    wireless-containment none

    ip dhcp Vlan13_DHCP
    server-type Centralized,L2
    server-vlan 13
    dhcp-relay
    dhcp-server 10.10.1.6

     

    wired-port-profile default_wired_port_profile
    switchport-mode trunk
    allowed-vlan all
    native-vlan 1
    shutdown
    access-rule-name default_wired_port_profile
    speed auto
    duplex full
    no poe
    type employee
    captive-portal disable
    no dot1x

    wired-port-profile wired-instant
    switchport-mode access
    allowed-vlan all
    native-vlan guest
    no shutdown
    access-rule-name wired-instant
    speed auto
    duplex auto
    no poe
    type guest
    captive-portal disable
    no dot1x


    enet0-port-profile default_wired_port_profile

    uplink
    preemption
    enforce none
    failover-internet-pkt-lost-cnt 10
    failover-internet-pkt-send-freq 30
    failover-vpn-timeout 180


    airgroup
    disable

    airgroupservice airplay
    disable
    description AirPlay
    id _airplay._tcp
    id _raop._tcp

    airgroupservice airprint
    disable
    description AirPrint
    id _ipp._tcp
    id _pdl-datastream._tcp
    id _printer._tcp
    id _scanner._tcp
    id _universal._sub._ipp._tcp
    id _printer._sub._http._tcp
    id _http._tcp
    id _http-alt._tcp
    id _ipp-tls._tcp
    id _fax-ipp._tcp
    id _riousbprint._tcp
    id _cups._sub._ipp._tcp
    id _cups._sub._fax-ipp._tcp
    id _ica-networking._tcp
    id _ptp._tcp
    id _canon-bjnp1._tcp

     



  • 16.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 24, 2013 10:32 AM

    Finally got it all working. 

     

    1.  Added default route in the IAP VPN for all traffic to go to the Controller IP (0.0.0.0 0.0.0.0 10.10.0.230)

    2.  Removed the DHCP relay address from the IAP / DHCP server config.  It already exists on the VLAN on the controller, so this was causing confusion.

    3.  Set up src nat as described above.  Added a trial license for PEF-V for now.

    4.  Corrected a typo in the Radius server IP address on the IAP :s  

     

    Fun & good times :)

     

    Thanks for all the help!



  • 17.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 24, 2013 10:35 AM

    Great!  you saved me a few screen shots that I was just replying back with!  Glad it is working.  

     

    Keep in mind...if you don't want the PEFV license, you can add the L2TP Inner IP addresses from the pool (assigned to the IAPs) to the RADIUS server.  I believe that the IAS can accept a network as one NAS entry but I may be wrong.

     

    I know we can do that with ClearPass.



  • 18.  RE: Instant AP & EAP-TLS certificates

    Posted Jul 25, 2013 09:43 AM

    Yes, I could add the inner IP pool subnet as a Radius client, but there is no route to the inner pool from their network.   This customer does not want to change any routes on their network, hence the L2-centralized setup.