Controllerless Networks

Reply
Highlighted
Frequent Contributor II

802.1x using cert on iap 207

Hi,

 

we use 802.1x authentication on controller based setups without any issue.  The controller is the termination point here so the root cert is installed on the controller.

 

We want to do the same on iap's.  Is that supported?  It's not clear when viewing the instant gui.  It seems users need to be setup when using an internal server?

 

I was trying to configure it anyway and check how far i got...  But when uploading the root cert in pem format, i got : 

cert_upload_convert_cert_error_txt
 
Nothing wrong with the pem file, i can open it on a mac without any problem.  Anyone an idea?
Highlighted
Guru Elite

Re: 802.1x using cert on iap 207

Do you plan to use internal users with EAP-PEAP or do you plan to have users in Active Directory?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
Frequent Contributor II

Re: 802.1x using cert on iap 207

The users are basically in AD.  What happens is a certificate is generated based on an AD id.  This certificate is configured on the endusers's device.

The root certificate is installed on the Auba controller.  So basically the authentication happens through the validation of the certificate.  The reason for the Aruba controller to terminate is because the controller is on a ship, and no NPS is available.  This works without any problem.  Question is : can we also configure this with an IAP?

 

pnobels_0-1593415869578.png

 

Highlighted
MVP Guru

Re: 802.1x using cert on iap 207

I just tested this in lab, and you can do EAP-TLS on just the Instant AP:

- Upload the 'radius server certificate' as a Server certificate

- Upload the root CA that issued the client certificates as 'Trusted CA'

 

Then configure under Certificate Usage configure your server certificate as RADIUS - Server, and the Trusted CA as RADIUS Trusted CA (I missed the last one first and had to add it to make it work).

 

Then configure the SSID for WPA2 Enterprise and the Internal database for Authentication. There is no need to create users, you will see the name of the client as username in the client list.

 

Note that any client certificate issued by the Trusted CA is accepted for EAP-TLS.

Note that there will also be no CRL/OCSP checking on the client certificate.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Highlighted
MVP Guru

Re: 802.1x using cert on iap 207

I recorded a video on how to set this up and posted that here.

 

You can see there as well how to import the server certificate and root CA.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: