Controllerless Networks

Hi,

 

I know the user guide says

 

Server Cert = TLS

CA & Server cert = EAP + TTLS

 

but is it possible to have TLS on one ssid and TTLS on another?

 

What exactly do I need to upload for EAP-PEAP (MSCHAPv2).  It is mentioned in the User Guide, but doesn't make clear exactly what is needed to have that method.

 

Thanks

---

@Michael_Clarke wrote:

Hi,

 

I know the user guide says

 

Server Cert = TLS

CA & Server cert = EAP + TTLS

 

but is it possible to have TLS on one ssid and TTLS on another?

 

What exactly do I need to upload for EAP-PEAP (MSCHAPv2).  It is mentioned in the User Guide, but doesn't make clear exactly what is needed to have that method.

 

Thanks

---

If you just have the Certificate on the Radius Server, you do not need to upload ANYTHING to Instant.

 

You can have TLS on one SSID and TTLS on another if you do what I mentioned above.

 

Thank Colin,

 

This certificate stuff always confuses me, but

---

@cjoseph wrote:

---

@Michael_Clarke wrote:

Hi,

 

I know the user guide says

 

Server Cert = TLS

CA & Server cert = EAP + TTLS

 

but is it possible to have TLS on one ssid and TTLS on another?

 

What exactly do I need to upload for EAP-PEAP (MSCHAPv2).  It is mentioned in the User Guide, but doesn't make clear exactly what is needed to have that method.

 

Thanks

---

If you just have the Certificate on the Radius Server, you do not need to upload ANYTHING to Instant.

 

You can have TLS on one SSID and TTLS on another if you do what I mentioned above.

 

---

What about EAP-PEAP?

What about the CA Cert, do I need that?

 

So with nothing uploaded, a client from a controller site can turn up at this instant site and connect without doing anything to their settings?  Obviously same ssid, radius server etc.

 

Thanks

 

 

To clarify, your the three options you presented:

 

PEAP-MSCHAPv2 - Certificate on RADIUS server only

EAP-TLS - Certificate on RADIUS Server and Client

EAP-TTLS -  Certificate on RADIUS Server only; similar to PEAP (EAP-TTLS is not supported on Windows XP or 7 without an additional supplicant, MIcrosoft has added it in Windows 8)

 

On the IAP (or controller if it controller based), the SSID is setup as WPA2-Enterprise, the authentication types are not relevant (unless terminating the tunnel).   The RADIUS server is the one that will determine who has access based on policies and supported authentication types; EAP-TTLS, EAP-TLS, etc.....

 

You may need to setup multiple RADIUS server entries with differing NAS Identifiers for each SSID to differentiate the request coming from the IAPs.....that way the RADIUS server can determine which SSID the client is connecting from.   If you have ClearPass or another RADIUS server that can import Aruba VSAs, you can use the Aruba-Essid-Name attribute to see the SSID name in the RADIUS request.

yep, think I got it.

 

If only Colin's statement "If you just have the Certificate on the Radius Server, you do not need to upload ANYTHING to Instant." was actually in the User Guide.

 

Thanks again.

 

:-)

Michael,

In general you do not have to upload anything to any NAS device like a controller or IAP hat sits between a client and a radius server. EAP types are configured on the radius server and the client. The NAS device in general is just a gatekeeper that allows the client on the network after a positive response from a radius server.

There are ways and reasons to upload a certificate to a co troller or IAP for 802.1x but they are purely optional.