Security

Reply
Moderator

Re: EAP-TLS Authenication

You shouldn't require xsec enabled on the Aruba controller. The EAP method will be negotitated directly between the client supplicant and the RADIUS server based on the RADIUS destination you have configured.

Occasional Contributor II

Re: EAP-TLS Authenication

I was just informed we also need to use the xsec since it supports FIPS 140-2 encryption..
 
I just read online that the 802.11i is also FIPS 140-2 compliant.. this to me means the WPA2 is compliant?


Edit:: I think I figured out the problem.. I need to add the root ca cert to the clients.. I'll try this out tomorrow when I get to work
 
Occasional Contributor II

Re: EAP-TLS Authenication

well it seems there is either an issue with my Aruba config or my Radius config..

 

When i use the test AAA server function everything works, which make me think the Radius config is good.. However when i attempt to authenicate via wifi the Radius logs the attempt username as my mac address of the client. There is no account built with those credentials so it will not work..

 

Any ideas why my mac address is being passed as my username?

 

I have attached the log file from the Radius so you can see when it authenicates via the AAA test and then attempts via several clients with the MAC address being passed.

 

 

I had to convert it to word so I could attach it.

 

Occasional Contributor II

Re: EAP-TLS Authenication

I am finally making progress.. I was able to get the radius to authenicate the clients user username / password (PEAP).. I am terminating the EAP at the controller but the authentication is still being done on the radius. I switched over to useing EAP-TLS since that is my end requirment..

 

I exported the rootca using the web enrollment page

I created user certs using the web enrollment page.

I have having a hard time with the server cert, since i am using a enterprise CA. I went to the web enrollment form, clicked advanced then pasted the CSR into the box.. only problem was there was no option for a server cert. how do I create this??

 

thanks for the help

Moderator

Re: EAP-TLS Authenication

If you don't have access to the certifictae templates when using the web enrollment, make sure you are authenticated successfully to the domain and using a MS web browser. I have seen a situation where I have used remote desktop to connect to the CA server but logged into the local machine account instead of the domain. In this situation the certificate templates were not available. I disconnected and re-logged in using a domain accounts with appropriate priveleges and was able to access the certificate templates.

 

hope this helps.

Re: EAP-TLS Authenication

Answering the FIPS questions, you likely need to use xSec on the OAC suplicant on the WinMobile HHT because the Radio/Chipset/Driver for WPA2 is NOT FIPSd. Don't let the FIPS issues cloud your certificate troubleshooting because they are not inter-related.

 

As for your certificates and HHTs, are you using local certificates on the HHT or are you using a bluetooth CAC sled?


Jerrod Howard
Distinguished Technologist, TME
Highlighted

Re: EAP-TLS Authenication

nevermind, no PMs here. Shoot me an email at jhoward - at - arubanetworks - dot - com. Once I know what account you fall under on our Fed group, we can likely get you more help if you need it, since you likely are needing to do your cert requests to DISA. They have a separate cert requrest procedure that allows you to put the correct extended key sets on the cert for the RADIUS server to act as an TLS authenticator.


Jerrod Howard
Distinguished Technologist, TME
Moderator

Re: EAP-TLS Authenication

To get back to the original question - you're trying to generate a server certificate on a Windows CA, using a CSR generated by the controller.  The error message you're getting is because the CSR doesn't contain any template information, so the CA doesn't know which template to use to generate the cert.  What you'll need to use "certreq" from the Windows command line:

 

certreq -submit -attrib "CertificateTemplate:WebServer" csr.txt

 

Replace "WebServer" with the name of the template you want to use (although WebServer is a built-in template that generally will work fine for an EAP-TLS server cert), and replace "csr.txt" with the filename of your CSR.

 

Hope that helps..

 

-Jon

---
Jon Green, ACMX, CISSP
Security Guy
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: