Security

Hi,

 

i wanna configute a ssid with local check if the client certificate machtes the local controller certifiacte. So i try to list here my steps, because it didn't work :)

 

6.4.3.3

 

1) Create a Controller Cert with CSR

2) Install Server and RootCA Cert

3) Create L3 Dot1x Auth Profile (eap tls) and Ca-Cert and Server Cert checked in advanced (Termination)

4) Create AAA Prof with 802.1x Authentication -> Step3 Profile  (Mac n/a, Servergroup n/a)

5) Vap Profile with AAA using Step4

 

In My Windows 8.1 Client i create a SSID-Prof with same Settings like my other one SSID with Cert -> Sends Radius Requests to external AAA Server) so i think that is not the problem.

 

If i activate security debug level - i only see some crypric stuff if i want to log in - but no real good text...

 

So is anyone out there that have configured a local termination that is working ? I checked the community but i dind't find any real guide or information to this issue.

 

Thanks for Feedback

Additon Info:

if i reconfigure a SSID with my AAA Profile it pops up with that error:

 

Error processing command 'wlan virtual-ap "test111" ssid-profile "ssid_temp_Certtest"':Error: Server Group needs to be configured in dot1x/aaa profile "802.1x_Cert_Temp_Cert/AAA_Certificate" to support opmode "wpa2-aes" in ssid profile "ssid_temp_Certtest"

 

maybe this error expain my Problem: 

 

A VAP Profile needs with WPA2 a Servergroup. But with local Termination and TLS i didn't have a Server :-( If i create a  local Server Group in the controller it checks the certificate Username agains local DB :-(  But i only want a Certificate check and not a username check ... so maybe this is the point witch iam looking for.

 

Thanks

You can create a server group that only has the internal database, but in the 802.1x profile, DO NOT enable "Check Certificate Common name against AAA server"  :  http://community.arubanetworks.com/t5/Controller-Based-WLANs/With-EAP-TLS-how-to-check-user-certificate-common-name-against/ta-p/215343

 

The problem is that the WPA2-AES 802.1x setup requires that you put a radius server in the server group attached to the AAA profile, even if you don't use it.

 

For your error messages, you should type "show auth-tracebuf" and see the radius messages going back and forth to see what could possibly be the problem.

 

Hi,

 

i unchecked that AAA Box (last checkbox) - thanks so far :) and entered a default AAA Server in a server group but it didn't work:

 

Here is the Output:

 

 

Oct 12 14:07:15 station-up * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 - - wpa2 aes
Oct 12 14:07:15 station-term-start * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 10 -
Oct 12 14:07:15 eap-term-start -> 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp - -
Oct 12 14:07:15 station-term-start * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 10 -
Oct 12 14:07:15 eap-term-start -> 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp - -
Oct 12 14:07:15 station-term-start * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 10 -
Oct 12 14:07:15 station-tls-alert * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp 48 2 failure
Oct 12 14:07:15 station-term-end * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp 1 - failure
Oct 12 14:07:15 eap-failure <- 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60/802.1x_Cert_Temp - 4
Oct 12 14:07:15 station-down * 34:02:86:b4:91:b9 ac:a3:1e:ee:07:60 - -

 

So i currently have a Machine Certificate for my Controller and a User Cert on my Notebook - as written above: Client works with Windows Radius AAA forwarding.

 

Maybe i need a different Windows config with this local certificate ?

 

Also, you need do create a client certificate to use for authentication. You can't use a server certificate for client auth. 


Thanks, 
Tim

Good info.. checked the Cert on the controller - only two attributes set and no Client Authentification.... back to the CA Admin :) Hope the new one works ^^

You'll still need the server certificate on the controller. The client certificate is installed on the device. 


Thanks, 
Tim

Sure but i think my actually has no permission to check Clients. Dunno witch statement is needed here but i think it didn't work with only Digital Signature, Key Encipherment (a0) and Server Authentication (1.3.6.1.5.5.7.3.1) as Enhanced Key Usage.

Right. There are two certificates. The only one that will work on the client is a client certificate. It's a different type of cert that gets created.

Thanks, 
Tim

Hi sorry, i have two different Types: client-certificate with the Client-Auth Usage set and a Server Cert without any Client-Auth. I think thats the reason why it dont work.

 

If i get that running i will create a guide for other users :) I think no one has a complete step by step config for this situation. And in fact that the controller works with CRL Aruba needs a good Guide :-)

 

Back here, when i got my new Controller Cert (takes some days...)