Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Aruba controller -New certificate

This thread has been viewed 4 times

  • 1.  Aruba controller -New certificate

    Posted May 10, 2018 09:24 AM
    hi everybody,

    I have an issue when doing 802.1x auth with à new public certificate installed on the controller in a PKCS12 formate. the certificate was generated by a well known public CA for m'y domaine "www.mydomaine.com.

    the issue us that when i try to authenticate with dot1x auth i get an error that Windows can't verify the identity of the server.
    i have used the AAA fast connect and i configured the server certificat paramètre.

    thank you for tout help

    #AirheadsMobile
    #ALE


  • 2.  RE: Aruba controller -New certificate

    EMPLOYEE
    Posted May 10, 2018 10:09 AM

    1) You shouldd be using a RADIUS server

    2) This is a normal part of the process with unconfigured clients and legacy tunneled EAP methods like PEAP.



  • 3.  RE: Aruba controller -New certificate

    Posted May 13, 2018 08:58 AM

    Hello,

    1) Yes i am using a Radius server for authentication, AAA Fast connect and PEAP authentication.

    2) The certificate installed on the controller was generated by a well known CA, already installed on the PC, so the certificate shoud be verified  by Windows ?



  • 4.  RE: Aruba controller -New certificate

    MVP EXPERT
    Posted May 13, 2018 12:30 PM

    First to be sure you dont use wildcard certificaties (*.domain.com). Some operatingsystems like Windows dont accept wildcard radius certs.

     

    Second, when you uses PEAP-MSCHAPv2 every first time the cliënt have to trust the server radius certificatie, because the cliënt dont ask for it like a webinterface http domainname request. The cliënt dont expext the server certificate. Yes it is valid by the external CA but the cliënt dont trust it the first connection because it didnt ask for it.

     

    Third. PEAP-MSCHAPv2 is unsecure when you dont strictly managed the endpoints. If a cliënt can accept an unknown server certificate the inner MSCHAPv2 hash can be drain into hackers hand. MSCHAPv2 can be easly decode by a hacker to get your domain credentials.

     

    So please use EAP-TLS if even possible or strictly manage your endpoints by a GPO policy or MDM.



  • 5.  RE: Aruba controller -New certificate

    EMPLOYEE
    Posted May 13, 2018 12:36 PM
    If you're using a RADIUS server, no EAP server certificate is needed on the controller.


  • 6.  RE: Aruba controller -New certificate

    MVP EXPERT
    Posted May 13, 2018 12:42 PM

    Cappalli is correct. server radius cert. is only needed on the authentication server like Clearpass or MS NPS. Not on the controller :)



  • 7.  RE: Aruba controller -New certificate

    Posted May 13, 2018 02:02 PM

    Thank you every body.

     

    Just a last question, i don't understand why this configuration (AAA Fast connect with PEAP) have been working before the revocation of the securelogin.arubanetworks.com certificate.

     

     

     



  • 8.  RE: Aruba controller -New certificate

    EMPLOYEE
    Posted May 13, 2018 02:05 PM
    You should be terminating EAP on the RADIUS server, not the controller.

    AAA FastConnect is an old feature and shouldn't be used in most environments.