How to configure Aruba Service Assurance (Cape) EAP-TLS Configuration (MS AD CS)
12-07-2018 04:32 PM - edited 12-18-2018 04:02 AM
Thought it would be be useful to run through a quick "how-to" for getting the new Aruba Service Assurance Sensor (Formally Cape Networks) configured for EAP-TLS authentication.
The Aruba Service Assurance sensor is a cloud managed sensor that has the ability to test both internal and external applications from the point of view of the end user.
How to get a user certificate from MS Active Directory Certificate Services?
In order for your Service Assurance (SA) sensor to authenticate against a wireless network using EAP-TLS, you will need to obtain a valid certificate to use.
The following step-by-step guide is only meant to be used in a lab environment. A production environment will probably look a bit different.
Note: I am assuming that you have a Microsoft AD server and Certificate Services installed, and you have added "Enrollment Agent" as a usable Certificate Template.
Now you will need to jump onto a domain joined machine (i.e. the Domain Controller) and fire up the Microsoft Management Console (MMC), Start > Run > mmc. Then add the certificates snap in for the local user.
From there right click on the "Personal" folder and request new certificate.
Follow the wizard and check "Enrollment Agent"
Once you have completed the wizard you can now request the user certificate that we will install onto the SA sensor. From the MMC console, right click on "Certificates" under the "Personal" folder, and select "Enroll On Behalf Of...".
You will be requested to select the signing certificate.
You will now need to select "User" as the certificate type.
Now you can define the AD user that you would like to request a certificate for. In this example, i am using an AD account with the name of "student".
Now that we have the user certificate, we need to export it.
We will be exporting with the private key included.
The certificate format that we are exporting in is ".PFX", however we are not including any of the options.
Now that we have a valid user certificate that was signed by our CA, we can configure the SA sensor.
In this example the wireless network that we are authenticating to is "corp" and the identity is "student".
NOTE: If installing a machine certificate onto the sensor ensure that the Identity is in the following format. host/<username>.domain. An example of this would be host/sensor.802-eleven.com.
Now that we have configured the new wireless network for EAP-TLS authentication and installed a user certificate our SA sensor will be able to authenticate and start testing the wireless network.