Requirement:
•In 4.2.3.0, IAP support AP uplink dot1x, when IAP boots up it’ll perform 802.1x authentication before it sends and receives any other traffic such as DHCP.
•If IAP cannot successfully authenticate within 1 minute, it will initiates DHCP and all traffic directly.
Solution:IAP now support authenticate using PEAP or TLS. The credentials or certs that the used to authenticate must be provisioned by the operator and are stored in IAP flash in advance.
Configuration:UI – Configuration
•System -> Uplink -> AP1X
"AP1X type", 3 options: “PEAP”,”TLS”,”None”, and “None” by default;
Validate server: disable by default.
UI-Per AP configuration
•Per AP edit -> Uplink -> PEAP User
PEAP credentials by default is NULL
•Per AP edit -> Uplink -> Upload New Certificate
URL could be tftp,ftp,http.
CLI Configuration:
ac:a3:1e:cd:47:b2 (config) # ap1x
peap
tls
ac:a3:1e:cd:47:b2 (config) # ap1x peap
<cr>
validate-server
ac:a3:1e:cd:47:b2 (config) # ap1x tls user
<cr>
validate-server
ac:a3:1e:cd:47:b2 (config) # ap1x peap validate-server
ac:a3:1e:cd:47:b2 (config) # end
ac:a3:1e:cd:47:b2# commit apply
committing configuration...
configuration committed.
ac:a3:1e:cd:47:b2# show running-config | in ap1x
ap1x peap user validate-server
note: This configuration needs reload to take effect.
CLI – Per AP PEAP configuration
•If choose PEAP as AP1x type, configure PEAP credentials in ap-env
ac:a3:1e:cd:47:b2# ap1x-peap-user
<ap1xuser> MSCHAPv2 identity
ac:a3:1e:cd:47:b2# ap1x-peap-user aruba
<password> MSCHAPv2 password
ac:a3:1e:cd:47:b2# ap1x-peap-user aruba aruba
ap-env
ac:a3:1e:cd:47:b2# show ap-env
Antenna Type:Internal
ap1xuser:aruba
ap1xpasswd:55ca6aac65a00c198d97bab619c2e6ba
This configuration needs reload to take effect
CLI – Per AP Certificate Upload
Downloadcert:
download-cert
ap1x <url> format pem [psk <psk>]
ap1xca <url> format pem
Copy:
copy tftp <ip-address> <filename> {ap1x {ca|cert} <password> format pem} format pem
Note: Both “download-cert” && “copy” can be used to upload Client cert or CA cert.
VerificationDebug:
AP1x auth log during bootup
apdot1x authentication type is peap trigger wpa_supplicant with configure file /aruba/ap1x/wpa.conf checking the authentication result and will time out at most 1 min
[ 43.748516] Kernel watchdog refresh ended on core 1.
[ 43.800531] Kernel watchdog refresh ended on core 0.
ap1x authentication succeeded
Getting an IP address...
Jan 1 00:00:36 udhcpc[3158]: udhcpc (v0.9.9-pre) started
Jan 1 00:00:36 udhcpc[3158]: send_discover: pkt num 0, secs 0
show ap1x config ---> It shows ap1x configuration in wpa_supplicant currently
ac:a3:1e:cd:47:b2# show ap1x config
#generated by rcS.fatap
ctrl_interface=/var/run/wpa_supplicant
ap_scan=0
eapol_version=1
fast_reauth=1
show ap1x status ----> It shows ap1x auth result currently
18:64:72:c6:ea:ec# show ap1x status
ap1x:tls with validating server
ap1x auth result:succeed
show ap1x debug-logs ----> It shows ap1x debug-logs during bootup
ac:a3:1e:cd:47:b2# show ap1x debug-logs
1970-01-01 00:00:32:apdot1x authentication type is peap
1970-01-01 00:00:32:trigger wpa_supplicant with configure file
show ap1xcert ---->It shows current CA && client certificate on IAP.
ac:a3:1e:cd:47:b2## show ap1xcert
Current ap1x CA Certificate:
Version :3
Serial Number :AB:C1:1E:06:77:69:20:4F
Issuer :/C=CN/ST=Beijing/O=Aruba Networks/O=an HP company/OU=Aruba Instant/CN=Feng Ding
Subject :/C=CN/ST=Beijing/O=Aruba Networks/O=an HP company/OU=Aruba Instant/CN=Feng Ding
Issued On :Jan 26 08:48:16 2016 GMT
Expires On :Jan 23 08:48:16 2026 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits