Security

Reply
MVP Expert

Configuring Mobility Controller RADSEC

Hi,

I've been using RADSEC for a while in conjunction with FreeRadius or RadSecProxy and thought I'd try configuring it on a Mobility controller so ...

 

Have uploaded all the appropriate CA chains and server cert

Generated a client cert to use on the controller

Defined te shared key as being radsec

Created a RADIUS server and enabled RADSEC ( incidentally, by default doesn't seem to let you specify a server cert from the GUI without doing some CLI stuff first)

 

Applied and saved the config .... and looking at the RADSEC server can;t see any RADSEC tunnel establishment requests attempts yet.

 

Haven't pointed any auths at the RADIUS server yet. Does the tunnel come up automagically or only after it sees an auth request for that RADIUS server ( guess it'll be the latter)

 

Anyway of forcing a RADSEC tunnel establishment for testing ?

A

Guru Elite

Re: Configuring Mobility Controller RADSEC

If it's configured correctly, it will come up immediately.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: Configuring Mobility Controller RADSEC

o.k. might be a firewall issue between the mobility controller and the RADSEC server , didn;t want to play with clearpass RADSEC at the same time, another unknown quantity

A

MVP Expert

Re: Configuring Mobility Controller RADSEC

o.k. firewall stopping things.... moved to new server

 

so I've got radsec.york.ac.uk on the controller defined as . a server cert using a .p12 file called RADSECYork . I've also uploaded both the root and intermediate CA certs 

 

From the command line I've typed 

no radsec-trusted-cacert-name

 

and then typed

 

radsec-trusted-servercert-name RADSECYork

 

After which I get

 

Unknown Trusted Certificate. Please upload the certificate before configuring in the profile

but the cert is on the mobility controller

....

crypto-local pki ServerCert RADSECYork radsecyorkacuk.p12

......

Highlighted
Guru Elite

Re: Configuring Mobility Controller RADSEC

Upload the root CA that issued the RadSec server certificate. Don’t do individual servers.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: Configuring Mobility Controller RADSEC

Already there, both the root an intermediate in the CA chain

 

crypto-local pki TrustedCA UoYRoot UniversityofYorkRootCA2.cer
crypto-local pki IntermediateCA UoYIntermediate UniversityofYorkIntermediateCA2.cer

 

Mobility controller says cert CA is UoYIntermediateCA ( see image)

Guru Elite

Re: Configuring Mobility Controller RADSEC

radsec-trusted-cacert-name <root CA for server cert>

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: Configuring Mobility Controller RADSEC

Running round in circles here

1). radsec.york.ac.uk installed on controller as a .p12 file without the CA chain

2). Root an intermediate certs installed on controller (PEM files)

 

In my RADIUS auth server I can specify the CA Root.

radsec-trusted-cacert-name uoyroot

If I then try and install the server I get a mesage

 

radsec-trusted-ca-cert-name is configured. Please unconfigure with "no radsec-trusted-ca-cert-name" and then configure "radsec-trusted-server-cert-name"

 

Note that this is wrong, it should be no radsec-trusted-cacert-name

 

If I then try installing the certificate radsec-trusted-server-cert-name radsecyorkacuk

 

I get the message Unknown Trusted Certificate. Please upload the certificate before configuring in the profile 

 

But the cert is installed on the controller

This is on 6.5.4.8 BTW

 

 

 

Guru Elite

Re: Configuring Mobility Controller RADSEC

Please work with TAC. I’m getting confused by your order of operations here.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: Configuring Mobility Controller RADSEC

Yeah I'm running round in circles as well :-(
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: