Controllerless Networks

Is it possible to terminate eap-tls on an IAP's virtual controller like you can with a mobility controller, or is that not supported yet?

Thanks in advance for any help!

I think I found the answer:

Supported EAP Authentication Frameworks
The following EAP authentication frameworks are supported in the Instant network:
l EAP-TLS— The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the
termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and
certification authority (CA) certificates installed on the IAP. The client certificate is verified on the Virtual
Controller (the client certificate must be signed by a known CA), before the username is verified on the
authentication server.

HI,

yes it is supported but with certain limitation.

I believe EAP-TLS on Instant requires an external RADIUS server.

From the user guide:

IAPs support EAP termination for enterprise WLAN SSIDs. The EAP termination can reduce the number of exchange packets between the IAP and the authentication servers.

Instant allows Extensible Authentication Protocol (EAP) termination for Protected Extensible Authentication Protocol (PEAP)-Generic Token Card (PEAPGTC)and Protected Extensible Authentication Protocol-Microsoft Challenge Authentication Protocol version 2(PEAP-MSCHAV2). PEAP-GTC termination allows authorization against an Lightweight Directory Access Protocol(LDAP) server and external RADIUS server while PEAP-MSCHAV2 allows authorization against an external RADIUS server.

I only need to authenticate using the cert - not cert plus username/password.  If the IAP controller can terminate EAP-TLS and do that part of the authentication, then I wouldn't see a need for an external auth server.  Theoretically, this should work, and I know it works on a mobility controller.

Based on what I posted earlier, it sounds like it should work on an IAP.  I just wish I had one in front of me to test.

EAP-TLS— The Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) method supports the termination of EAP-TLS security using the internal RADIUS server . The EAP-TLS requires both server and
certification authority (CA) certificates installed on the IAP. The client certificate is verified on the Virtual Controller (the client certificate must be signed by a known CA), before the username is verified on the
authentication server.

Since the client will be configured to pass the cert to the IAP, I don't see why it wouldn't be able to authenticate cert without talking to an external radius server and then allow the client on the network.  Again, I have this working on a mobility controller, so I assume there would be no technical reason why it wouldn't work, unless the IAP's are hard coded to only do EAP-TLS cert auth with radius username/password auth following it.

What do you think?

Hey - also, what if we were to point the radius server to the internal radius server?  Could we do it then?

for future reference, it is possible, settings are discused here.

http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/IAP-with-local-EAP-TLS-SSID/m-p/255467/

you don't require an external (or internal) user datase.

I need to auth TLS with LDAP on the back end.  So I need to terminate, then check the CN against my ldap server.  I don't think that works still.

I ended up going with a 7005 controller for this site.  It is about the same size/cost of an AP anyway, so no big deal.