Controllerless Networks

Hi guys,

      from vaious guidelines I see that an Instant ap can make local certificate authentication using his internal radius server (I cannot not use clearpass or other external radius server)

My question is: Instant ap can support more than one certificate at the same time for EAP-TLS? I'm thinking at the moment when I'll renew the certificate and I will install it in my devices, I can use two certificate (from the same CA) on the Instant at the same time to make more easily the migration?

 

thanks

You should never be using the same client certificate on more than one device.

Hi Tim,

     thanks for the reply, but customer need to use only one certificate for some device, in case of certificate expiration, Instant virtual controller can store two certificate (made by the same internal CA) and work with both?

Instant doesn’t store the certificate, only the trust anchor.

sorry but i'm not expert with certificates, what does "trust anchor" means? Instant can store two valid trust anchors?

 

i'm referring to this article:

https://community.arubanetworks.com/t5/Controllerless-Networks/IAP-with-local-EAP-TLS-SSID/m-p/255455

 

I understand that Boneyard installed the server certificate and root CA on the Instant..

The server and client certificate are not necessarily related. At a bare minimum the root of the client cert needs to be trusted by the IAP. If both client certs are issued from the same root, they will both be valid.

thanks for the explanation, but what about the possibility to have two valid certificate on the Instant to make easy the authentication of client during a certificate renewal?

Hi guys,

     our Aruba rapresentative confirm to us that an Aruba Instant cannot store two server certificate.

 

bye all