Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

WPA2/3-Enterprise - Two different client certificates for two different SSIDs

This thread has been viewed 34 times
  • 1.  WPA2/3-Enterprise - Two different client certificates for two different SSIDs

    Posted Aug 21, 2023 07:10 PM

    Hi All, 

    I've got a client that is looking for the below solution:

    SSID-1 - (Corporate Devices managed by InTune) - WPA3-Enterprise with certificate-based authentication using their own CA and RadSec. 

    SSID-2 - (BYOD devices belonging to staff) - WPA3-Enterprise with Azure AD via Aruba Cloud Authentication (Aruba Cloud Authentication and Policy Overview (arubanetworks.com)). Users will authenticate using their organization's O365 credentials. 

    SSID-1 is working well and has no issues. When we configure SSID-2, authentication is timing out which is due to the AP using the server-certificate and CA we have configured under Group>Devices>Access Points>Security>Certificate Usage. Changing this to use the "default" certificate as per below screenshot resolves the issue but then SSID-1 stops working since it can't authenticate itself. 

    Does anyone know if it's possible to have two WPA3-Enterprise networks and have each use it's own server-certificate and CA for authentication all within the same Central Group?

     

    Thank you



  • 2.  RE: WPA2/3-Enterprise - Two different client certificates for two different SSIDs
    Best Answer

    EMPLOYEE
    Posted Aug 22, 2023 08:47 AM

    What is the authentication server for SSID1?

    And are you using RadSec?

    Cloud Authentication and Policy uses RadSec for the communication with Central. If you change the RadSec CA or RadSec Client Cert, that communciation will break and users cannot authenticate anymore. As of today you cannot have multiple RadSec Client or CA certificates on your APs or gateways.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

    EMPLOYEE
    Posted Aug 22, 2023 08:53 AM

    To add to that, RadSec is just for the communication between your controller/AP and your authentication servers (RADIUS/ClearPass/Cloud Auth/etc).

    You can have different server and client CAs, which are handled in the authentication server. But it seems like your issue is about the Radius/RadSec communication broken to different servers.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

    Posted Aug 22, 2023 04:46 PM

    Thanks for the detailed response, Herman.

    Yes we are using RadSec and the auth server will be a cloud-based RADIUS solution. I'll work with the team to come up with a new solution, I've got a few things in mind already but they will require some labbing to validate. 




  • 5.  RE: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

    Posted 14 days ago

    Is this related to the same issue I've seen when attempting to use RADSEC with SSID-1 and Aruba's Guest Captive Portal on SSID-2? 



    Regards, Mike 




  • 6.  RE: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

    EMPLOYEE
    Posted 13 days ago

    If you refer to RadSec to one RADIUS server for 802.1X and Cloud Guest (RadSec to the Central Cloud); then that may be the case. If the RadSec is to the same server (same RadSec server certificate) it may not be related.

    What is the issue that you have?



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

    Posted 13 days ago

    We're seeing a lot of customer requests wanting to use Radius Cloud providers for 802.1X, an example is https://www.radiusaas.com/ or https://www.securew2.com/

    radiusaas.com's configuration guide - https://docs.radiusaas.com/configuration/access-point-setup/radsec-available/aruba

    One recent customer has been using Aruba Central's Cloud Guest captive web portal for user registration for a while. Then they wanted to move from their internal radius server to the cloud, using radiusaas.com. We're seeing a trend in the ANZ region to move away from data centres to the cloud, this is becoming more and more common.  

    After installing the RadSec certificates as documented in radiusaas.com's guide for 802.1X on a LAB AP and getting their clients authenticating using 802.1X to radiusaas.com's service, the we discovered the Aruba Central's Cloud Guest captive web portal wasn't authenticating users anymore.

     

    It would seem if the customer requires RadSec to a cloud provider like radiusaas or securew2, they can't use either Aruba Central's Cloud Auth for BYOD devices or Aruba Central's Cloud Guest for guests

    In this case the customer decided to change the guest wireless to a PSK and to continue with the cloud radius provider radiusaas. 

    We'd previously ran in the same Cloud RadSec issue when wanting to deploy both radiusaas.com's service with Aruba Central's Cloud Auth with Azure for BYOD users on AOS 8.

    I didn't expect it to be an issue with Aruba Central's Cloud Guest, I would have thought those services would have been independent from one another and if it was going to be an issue I was kind of hope it was fixed in AOS 10. 

    Thanks for the confirmation, I'll advise our sales teams.