Controllerless Networks

 

Hi All,

 

I have Aruba instant 115 running on 6.3. I am using tacacs server for client authentication and currently it is pushing the certificate to the clients. 

 

My problem,

 

User/Client tries to connect to SSID for the very first time and he gets certificate warning popup, that its a untrusted server. I would like to avoid this warning even for the very first time. I am thinking to upload a public signed wildcard certificate on Aruba instant controller, please help me suggest the proper procedure to do this and if you think doing this will resolve the warning problem? 

 

PS: No matter what I try this warning is never avoidable and it drives me crazy :( please help.

 

 

Is this for the IAP captive portal ?

Thanks for reply.

 

I want to use this for WPA2-Enterprise authentication. If so when a new user inside the domin tries to connect he shouldnt get any warning popups complaining about untrusted source.

 

Right now the certificate is pushed from tacacs and users alwayz get a popup warning. Attached the warning message.

 

 

You should not use a wildcard cert for RADIUS.

 

 

I may sound ridiculas but does that mean if I am using external RADIUS server for authentication the certificate should/will alwayz come from the RADIUS server and Aruba instant would not come into picture?

 

I mean in this scenario I cannot have Aruba to deliver certs in any case?

So are you using an external RADIUS or are you terminating on the Instant cluster?

Hi cappalli,

 

Yes am using external RADIUS (tacacs) for authentication and currently the certificate to the clients is coming from tacacs. I have not setup to terminalte EAP on Aruba at the moment.

 

Attached the screenshot of my config. 

OK, so you are using your TACACS server for user authentication on top of management authentication?

If the IAP is set to use your TACACS servers for authentication, this is where the EAP certificate will come from.

 

I guess the question is: What is your ideal setup?

 

Thanks

My question is how to get rid of the warning message coming up on the client machine while connecting to wireless?

 

I have a self signed cert coming from tacacs which comes up with the warning. I would like to not change certificate on the tacacs server .

 

Is there anything I can do on Aruba so it can send the certificate to the clients? And may be I use a public wildcard cert on Aruba so clients dont get the popup wariniing?

No, this is a normal part of the EAP authentication process. Unless you preconfigure all of your clients (manually, using group policy, or using a supplicant configuration utility like QuickConnect), the user will be presented with a message asking them if they trust the certificate.

Ok I think I understand what you mean. No matter what if the client dont have the CA cert already installed it alwyz prompts the warning. Right?

 

One last question : For what different purposes we can use the maintainence->Certificate window?

 

Like if I upload a CA cert here , with the config on SSID can I make Aruba to send out the cert instead of tacacs?

 

 

 

Tim if the cert coming from the tacacs server wasn't self signed, but instead came from a recognized source, will a windows client still get promp to accept a cert coming from the tacacs server?

 

If the client isn't pre configured, yes.