Controllerless Networks

Hi,

we use 802.1x authentication on controller based setups without any issue.  The controller is the termination point here so the root cert is installed on the controller.

We want to do the same on iap's.  Is that supported?  It's not clear when viewing the instant gui.  It seems users need to be setup when using an internal server?

I was trying to configure it anyway and check how far i got...  But when uploading the root cert in pem format, i got : 

Do you plan to use internal users with EAP-PEAP or do you plan to have users in Active Directory?

The users are basically in AD.  What happens is a certificate is generated based on an AD id.  This certificate is configured on the endusers's device.

The root certificate is installed on the Auba controller.  So basically the authentication happens through the validation of the certificate.  The reason for the Aruba controller to terminate is because the controller is on a ship, and no NPS is available.  This works without any problem.  Question is : can we also configure this with an IAP?

I just tested this in lab, and you can do EAP-TLS on just the Instant AP:

- Upload the 'radius server certificate' as a Server certificate

- Upload the root CA that issued the client certificates as 'Trusted CA'

Then configure under Certificate Usage configure your server certificate as RADIUS - Server, and the Trusted CA as RADIUS Trusted CA (I missed the last one first and had to add it to make it work).

Then configure the SSID for WPA2 Enterprise and the Internal database for Authentication. There is no need to create users, you will see the name of the client as username in the client list.

Note that any client certificate issued by the Trusted CA is accepted for EAP-TLS.

Note that there will also be no CRL/OCSP checking on the client certificate.

I recorded a video on how to set this up and posted that here.

You can see there as well how to import the server certificate and root CA.