Setting up IAP uplink dot1x

MVP Expert
MVP Expert
Requirement:

•In 4.2.3.0, IAP support AP uplink dot1x, when IAP boots up it’ll perform 802.1x authentication before it sends and receives any other traffic such as DHCP.

•If  IAP cannot successfully authenticate within 1 minute, it will initiates DHCP and all traffic directly.



Solution:

IAP now support authenticate using PEAP or TLS. The credentials or certs that the used to authenticate must be provisioned by the operator and are stored in IAP flash in advance.

 

 

 

 

 



Configuration:

UI – Configuration

•System -> Uplink -> AP1X

 

"AP1X type", 3 options:  “PEAP”,”TLS”,”None”, and “None” by default;

Validate server:  disable by default.

 

UI-Per AP configuration 

•Per AP edit -> Uplink -> PEAP User

 

 

PEAP credentials by default is NULL

 

•Per AP edit -> Uplink -> Upload New Certificate  

 

 

URL could be tftp,ftp,http.

 

CLI Configuration:

 

ac:a3:1e:cd:47:b2 (config) # ap1x

peap    

tls

ac:a3:1e:cd:47:b2 (config) # ap1x peap

<cr>

validate-server

ac:a3:1e:cd:47:b2 (config) # ap1x tls user

<cr>

validate-server

ac:a3:1e:cd:47:b2 (config) # ap1x peap validate-server

ac:a3:1e:cd:47:b2 (config) # end

ac:a3:1e:cd:47:b2# commit apply

committing configuration...

configuration committed.

ac:a3:1e:cd:47:b2# show running-config | in ap1x

ap1x peap user validate-server

 

note: This configuration needs reload to take effect. 

 

CLI – Per AP PEAP configuration

 

•If choose PEAP as AP1x type, configure PEAP credentials in ap-env

 

ac:a3:1e:cd:47:b2# ap1x-peap-user

<ap1xuser>     MSCHAPv2 identity

ac:a3:1e:cd:47:b2# ap1x-peap-user aruba

<password>     MSCHAPv2 password

ac:a3:1e:cd:47:b2# ap1x-peap-user aruba aruba

 

ap-env

 

ac:a3:1e:cd:47:b2# show ap-env

Antenna Type:Internal

ap1xuser:aruba

ap1xpasswd:55ca6aac65a00c198d97bab619c2e6ba

 

This configuration needs reload to take effect 

 

CLI – Per AP Certificate Upload

 

Downloadcert:

 

download-cert 

ap1x <url> format pem [psk <psk>]

ap1xca <url> format pem

 

Copy:

 

copy tftp <ip-address> <filename> {ap1x {ca|cert} <password> format pem} format pem

Note: Both “download-cert” && “copy” can be used to upload Client cert or CA cert.

 

 



Verification

Debug:

 

AP1x auth log during bootup

 

apdot1x authentication type is peap​ trigger wpa_supplicant with configure file /aruba/ap1x/wpa.conf checking the authentication result and will time out at most 1 min

[   43.748516] Kernel watchdog refresh ended on core 1.

[   43.800531] Kernel watchdog refresh ended on core 0.

ap1x authentication succeeded

Getting an IP address...

Jan  1 00:00:36 udhcpc[3158]: udhcpc (v0.9.9-pre) started

Jan  1 00:00:36 udhcpc[3158]: send_discover: pkt num 0, secs 0

 

show ap1x config --->    It shows ap1x configuration in wpa_supplicant currently

 

ac:a3:1e:cd:47:b2# show ap1x config

#generated by rcS.fatap

ctrl_interface=/var/run/wpa_supplicant

ap_scan=0

eapol_version=1

fast_reauth=1


show ap1x status ---->  It shows ap1x auth result currently


18:64:72:c6:ea:ec# show ap1x status 
ap1x:tls with validating server 
ap1x auth result:succeed


show ap1x debug-logs  ----> It shows ap1x debug-logs during bootup

ac:a3:1e:cd:47:b2# show ap1x debug-logs
1970-01-01 00:00:32:apdot1x authentication type is peap
1970-01-01 00:00:32:trigger wpa_supplicant with configure file

 

show ap1xcert ---->It shows current CA && client certificate on IAP.


ac:a3:1e:cd:47:b2## show ap1xcert 


Current ap1x CA Certificate:
Version       :3
Serial Number :AB:C1:1E:06:77:69:20:4F
Issuer        :/C=CN/ST=Beijing/O=Aruba Networks/O=an HP company/OU=Aruba Instant/CN=Feng Ding
Subject       :/C=CN/ST=Beijing/O=Aruba Networks/O=an HP company/OU=Aruba Instant/CN=Feng Ding
Issued On     :Jan 26 08:48:16 2016 GMT
Expires On    :Jan 23 08:48:16 2026 GMT
Signed Using  :SHA1-RSA
RSA Key size  :2048 bits


 

Version history
Revision #:
2 of 2
Last update:
‎03-31-2019 10:26 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: