Controllerless Networks

Reply
Occasional Contributor II

Instant and local EAP-TLS auth

Hi guys,

      from vaious guidelines I see that an Instant ap can make local certificate authentication using his internal radius server (I cannot not use clearpass or other external radius server)

My question is: Instant ap can support more than one certificate at the same time for EAP-TLS? I'm thinking at the moment when I'll renew the certificate and I will install it in my devices, I can use two certificate (from the same CA) on the Instant at the same time to make more easily the migration?

 

thanks

Guru Elite

Re: Instant and local EAP-TLS auth

You should never be using the same client certificate on more than one device.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Instant and local EAP-TLS auth

Hi Tim,

     thanks for the reply, but customer need to use only one certificate for some device, in case of certificate expiration, Instant virtual controller can store two certificate (made by the same internal CA) and work with both?

Guru Elite

Re: Instant and local EAP-TLS auth

Instant doesn’t store the certificate, only the trust anchor.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Instant and local EAP-TLS auth

sorry but i'm not expert with certificates, what does "trust anchor" means? Instant can store two valid trust anchors?

 

i'm referring to this article:

https://community.arubanetworks.com/t5/Controllerless-Networks/IAP-with-local-EAP-TLS-SSID/m-p/255455

 

I understand that Boneyard installed the server certificate and root CA on the Instant..

Guru Elite

Re: Instant and local EAP-TLS auth

The server and client certificate are not necessarily related. At a bare minimum the root of the client cert needs to be trusted by the IAP. If both client certs are issued from the same root, they will both be valid.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Instant and local EAP-TLS auth

thanks for the explanation, but what about the possibility to have two valid certificate on the Instant to make easy the authentication of client during a certificate renewal?

Occasional Contributor II

Re: Instant and local EAP-TLS auth

Hi guys,

     our Aruba rapresentative confirm to us that an Aruba Instant cannot store two server certificate.

 

bye all

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: