Cloud Managed Networks

Reply

How to configure Aruba Service Assurance (Cape) EAP-TLS Configuration (MS AD CS)

Thought it would be be useful to run through a quick "how-to" for getting the new Aruba Service Assurance Sensor (Formally Cape Networks) configured for EAP-TLS authentication.

 

https://capenetworks.com

 

The Aruba Service Assurance sensor is a cloud managed sensor that has the ability to test both internal and external applications from the point of view of the end user.

 

How to get a user certificate from MS Active Directory Certificate Services?

 

In order for your Service Assurance (SA) sensor to authenticate against a wireless network using EAP-TLS, you will need to obtain a valid certificate to use.

 

The following step-by-step guide is only meant to be used in a lab environment.  A production environment will probably look a bit different.

 

Note: I am assuming that you have a Microsoft AD server and Certificate Services installed, and you have added "Enrollment Agent" as a usable Certificate Template.

1.PNG

 

Now you will need to jump onto a domain joined machine (i.e. the Domain Controller) and fire up the Microsoft Management Console (MMC), Start > Run > mmc.  Then add the certificates snap in for the local user.

 

From there right click on the "Personal" folder and request new certificate.

1.png

 

 

Follow the wizard and check "Enrollment Agent"
4.png

 

Once you have completed the wizard you can now request the user certificate that we will install onto the SA sensor.  From the MMC console, right click on "Certificates" under the "Personal" folder, and select "Enroll On Behalf Of...".

 

66.png

 

 

You will be requested to select the signing certificate.
10.png

 You will now need to select "User" as the certificate type.11.png

 Now you can define the AD user that you would like to request a certificate for.  In this example, i am using an AD account with the name of "student".12.png

 

 

Now that we have the user certificate, we need to export it.

144.png

 We will be exporting with the private key included.15.png

 The certificate format that we are exporting in is ".PFX", however we are not including any of the options.16.png

 

 

Now that we have a valid user certificate that was signed by our CA, we can configure the SA sensor.

 

In this example the wireless network that we are authenticating to is "corp" and the identity is "student".  

 

NOTE:  If installing a machine certificate onto the sensor ensure that the Identity is in the following format.  host/<username>.domain. An example of this would be host/sensor.802-eleven.com.

111.png

 

 

Now that we have configured the new wireless network for EAP-TLS authentication and installed a user certificate our SA sensor will be able to authenticate and start testing the wireless network.

 

 

 

 

 

 

 

 

ACCX#1050 ACMP CWDP CWSP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: