Security

Reply
Aruba Employee

Re: Problems with MDPS - any updated complete tech docs yet?

I think the solution was to reset MDPS to factory defaults.

MVP Expert

Re: Problems with MDPS - any updated complete tech docs yet?

Hi Cam - and any other Airhead following this thread :)

 

I'm a happy man today because I finally got it working! What really caused the issue I'm not sure of, but as Cam says here I'm also thinking something was wrong with the certificates in one of the endpoints...

 

I got my hands on a somewhat updated version of the document - v1 dated June 2011 - which triggered a few new ideas and concrete explanation of the procedures involved. In short - correct certificates and OCSP

 

The longer story of what finally made it all work:

1. Factory reset MDPS with complete delete of certificates and settings

2. Reboot (just cause I'm not paranoid...)

3. Delete all profiles on iPad, reset networking settings, restart it..

4. Set up Amigopod as Root CA and create new root cert with new private key.

5. Export the certificated tagged with ... Certificate Authority (signing) as CA-signing.pem

  • This is the suspected culprit from last round. Document describes only one type of certificate to export, and that is not the one tagged (signing). I did at one point try to export and install this on on the Controller, but I'm thinking things was just too messed up by then.

 

6. Create CSR on Controller 1024-bit

  • I did use 2048 last time since 6.1.2.7 support this, but didn't want to take any risks now.

 

7. Upload CSR by copy/paste and export certificate as CA-EAP-Termination.pem

8. Install certificates on Controller

  • CA-signing.pem as Trusted CA
  • CA-EAP-Termination.pem as Server Cert
  • CA-signing.pem as OCSP Responder Cert

9. Set up OCSP Responder using the installed OCSP Responder Cert

 

10. Then just follow the guide on creating the 802.1x profile, and WiFi+Provision profile in MDPS

 

Questions and/or things to try out

  • in the Provisioning Profile I did not add a OCSP URL. Might cause some browser to fail - so what is best practice?
  • http vs https on OCSP url.. What is best practice and why?
  • Are there any extra security risks involved for the users if we allow guest user access to do this certificate enrollment and subsequently access ti the EAP-TLS network?
  • EAP-Termination cert only lasts for 1 year, and it's no way to adjust this in the MDPS gui. Would definately be nice to be able to adjust this to last longer - just as the root cert. I'm guessing it might be possible to do it using openssl
  • I see that a self-registered user with an account lasting 8 hours will get a certificate that lasts just as long - which is as expected. Will have to check and document the user experience when trying to reconnect after expired cert, and then try to re-enroll again using the open SSID.

 

So Cam - when will an updated document with description for enrollment of non-IOS devices come? :)

 

John - one happy airhead!


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Moderator

Re: Problems with MDPS - any updated complete tech docs yet?

John,
Great news that you are all up and running now and a happy airhead.
Let me try to answer some of your questions inline below:
-----

 

Questions and/or things to try out

  • in the Provisioning Profile I did not add a OCSP URL. Might cause some browser to fail - so what is best practice?
This option was added for compatibility with Microsoft NPS when EAP-TLS is terminated on this RADIUS server. This is not required for termination on the controller.
  • http vs https on OCSP url.. What is best practice and why?

 

This would depend on your server deployment in terms of location between the controller and the Amigopod and whethet you are concerned about OCSP been seen in the clear. Typically this will be on a management network of some sort and may not be major risk. If you have a look at the OCSP spec you can see it is that it is transaction query based on the certificate serial number and depending on your security policy you may or may not want this encrypted in your environment.

  • Are there any extra security risks involved for the users if we allow guest user access to do this certificate enrollment and subsequently access ti the EAP-TLS network?

The certificate enrolment kind of assumes the BYOD use case and that the user already has a valid account in a user store somewhere. There would be nothing to prevent you creating guest accounts in the local Amigopod database and then using these for cert enrollment but not sure if this is what you are after. You could then use the Check cert CN option under the 802.1x authentication profile to trigger a subsequent query to Amigopod and a role could be returned to the controller to provide differentiated guest access on the same TLS SSID.

 

  • EAP-Termination cert only lasts for 1 year, and it's no way to adjust this in the MDPS gui. Would definately be nice to be able to adjust this to last longer - just as the root cert. I'm guessing it might be possible to do it using openssl

I would have to check on that - I know you can adjust the certificate validity time in the Provisioning Settings but I think this is just for client certificates. Not sure on the server certitifcate side of things.

 

  • I see that a self-registered user with an account lasting 8 hours will get a certificate that lasts just as long - which is as expected. Will have to check and document the user experience when trying to reconnect after expired cert, and then try to re-enroll again using the open SSID.

Yes the MDPS will attempt to match the certificate validity time to that of the underlying account if available. TLS authentication will fail with an expired client cert and re-enrollment will be required.

 

 

So Cam - when will an updated document with description for enrollment of non-IOS devices come? :)

 

John - one happy airhead!


 

MVP Expert

Re: Problems with MDPS - any updated complete tech docs yet?

 

Thank you for the clarifications Cam! Now on to the next challenge :)


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: