Why am I not able to map the server certificate under 802.1x profile of a AAA profile with key length of 2048/4096?
Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
When we create a CSR request with a key length of 2048 bits, we use a PKI (based on open-ssl) to create a CA certificate and a server certificate. Both certificates can be uploaded in the controller without any problem.
However, when we create an AAA profile based on EAP-TLS and we choose these same two certificates, the server certificate is rejected and the error message "only 1024 bits certificates are supported" is produced.
Why does the 802.1x AAA profile refuse to use a server certificate with a key length of 2048 bit?
The AAA profile of the Aruba controller rejects the server certificate because it cannot use a server certificate of 2048 key length for EAP Offload. This means a server certificate of 2048 key length cannot be mapped to an AAA profile if EAP termination is enabled on the controller.
Basically, the Aruba controller does not allow the user to associate a server certificate with key length 2048 bits to dot1x for EAP termination.
So, if you use the WLAN with EAP Offload, you cannot have a server certificate with key length greater than 1024 bits.
This is by design and not a bug.
The Aruba data path module is not designed to handle the authentication of a certificate with key length of 2048 bits. The module can handle client authentication in association with server certificate with key length of 1024 bits or lower. So, whenever an attempt is made to map the certificate of key size 2048 to an AAA profile with EAP Offload, the controller produces the error message. In an earlier version of the code, the authentication just failed, but no error message was produced.
So, if the server certificate with key length of 2048 bits cannot be mapped to the profile with EAP Offload, then why have this option?
Currently, Aruba supports 1024 bit RSA key for 802.1x termination on the controller. However, Aruba supports 2048, 4096 bit RSA key server certificates for other features like site-to-site VPN, captive portal server certificate, and WebUI management interface server certificate. All of these are handled at the control plane instead of the data path as is done for EAP Offload.