Wireless Access

Hi guys,

 

Actually I have a network of Instant APs where the clients authenticate against a RADIUS server with username and password (PEAP) in order to connect to the corporate SSID. Because the RADIUS server doesn't have a certificate I have enabled EAP offload, so the IAP acts as the authentication server and is which sends the certificate to clients. Because clients don't have that certificate in their certificate list, they get a untrusted server warning and have to accept before connecting to the network. I am begginer with certificates so I have two doubts:

 

1. When EAP offload is enabled, which certificate is sent to clients, the AP's certificate where the client is connected to or the master AP's certificate?
2. Is possible to import the Instant AP certificate into the client to avoid getting the warning of untrusted server?

Regards,

Julián

• You should not use legacy EAP methods like PEAP
• You should not be terminating EAP on the NAD. Use a RADIUS server.

Hi Tim,

 

Thanks for the reply. I know that EAP-TLS is more secure than PEAP and that enabling EAP offload is not a good practice, and is better to use the RADIUS server certificate. But my doubts are not related to best practices but how the certificates are treated in Instant when EAP offload is enabled.

 

1. When EAP offload is enabled, which certificate is sent to clients, the AP's certificate where the client is connected to or the master AP's certificate?
2. Is possible to import the Instant AP certificate into the client to avoid getting the warning of untrusted server?

 

Regards,

Julián

As said, you should not do it. But to answer your questions for educational purposes:

 

When EAP offload is enabled, which certificate is sent to clients, the AP's certificate where the client is connected to or the master AP's certificate?

With eap termination or eap offload, the AP will terminate the PEAP outer tunnel with its (eap) certificate. The MSCHAPv2 will be forwarded to the RADIUS server. Again, you should not be using PEAP-MSCHAPv2 in production, so the answer is for educational purposes only.

 

Is possible to import the Instant AP certificate into the client to avoid getting the warning of untrusted server?

You can, similar to when the certificate is not on the AP, (pre)configure your client with the CA that issued the AP/RADIUS-server certificate and the proper certificate validation. Never let users self-configure this, as if they don't put each tickbox right you will get an insecure situation.

Hi Herman,

 

Thanks for your interest. About the second point:

 

You can, similar to when the certificate is not on the AP, (pre)configure your client with the CA that issued the AP/RADIUS-server certificate and the proper certificate validation.

 

What CA should my client trust? I don't know what is the certificate the AP uses for EAP, it has many (Default Server Certificate, Current CP Server Certificate and Device Certificate), look at this:

 

P4-W04# show cert all

Default Server Certificate:
Version :3
Serial Number :01:DA:52
Issuer :/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
Subject :/serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF/C=US/O=securelogin.arubanetworks.com/OU=GT28470348/OU=See www.geotrust.com/resources/cps (c)11/OU=Domain Control Validated - QuickSSL(R) Premium/CN=securelogin.arubanetworks.com
Issued On :May 11 01:22:10 2011 GMT
Expires On :Aug 11 04:40:59 2017 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

 

Version :3
Serial Number :02:36:D2
Issuer :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject :/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
Issued On :Feb 26 21:32:31 2010 GMT
Expires On :Feb 25 21:32:31 2020 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

 

Version :3
Serial Number :02:34:56
Issuer :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Subject :/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
Issued On :May 21 04:00:00 2002 GMT
Expires On :May 21 04:00:00 2022 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

 

Current CP Server Certificate:
Version :3
Serial Number :0D:18:23:89:16:76:A4:13:92:D9:3E:EA:03:DE:DD:18
Issuer :/C=US/O=DigiCert Inc/CN=DigiCert Global CA G2
Subject :/C=US/ST=California/L=Palo Alto/O=Hewlett Packard Enterprise Company/OU=Aruba Networks/CN=securelogin.hpe.com
Issued On :Feb 12 00:00:00 2018 GMT
Expires On :Feb 13 12:00:00 2019 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits

 

Version :3
Serial Number :03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5
Issuer :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
Subject :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
Issued On :Aug 1 12:00:00 2013 GMT
Expires On :Jan 15 12:00:00 2038 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits

 

Version :3
Serial Number :0C:8E:E0:C9:0D:6A:89:15:88:04:06:1E:E2:41:F9:AF
Issuer :/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
Subject :/C=US/O=DigiCert Inc/CN=DigiCert Global CA G2
Issued On :Aug 1 12:00:00 2013 GMT
Expires On :Aug 1 12:00:00 2028 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits

 

Device Certificate:
Version :3
Serial Number :21:8F:5B:7C:00:00:00:03:8B:74
Issuer :/UID=com/UID=arubanetworks/UID=devicesign/CN=Aruba Networks Trusted Computing Issuing CA 2
Subject :/CN=CNDQHN725W::20:a6:cd:cb:5c:de
Issued On :Aug 18 12:43:59 2017 GMT
Expires On :Sep 14 03:21:14 2032 GMT
Signed Using :SHA256-RSA
RSA Key size :2048 bits

P4-W04#

 

The issuers are GeoTrust, DigiCert and Aruba Networks. Which one?

 

Regards,

Julián

 

The signing CA of your EAP server certificate.

Hi Tim,

 

But in the case the AP sends the certificate to clients, which certificate will it use? You can see in the previous output the AP has three certificates: Default Server Certificate, Current CP Server Certificate and Device Certificate. Which one?

 

Regards,

Julián

You need to upload an EAP server certificate. You cannot use hte defaults.

But in Instant if you enable EAP offload, the AP sends one of its default certificates to the clients and works fine, but I don't which one. You don't need to upload an EAP certificate for this to work.

Regards,
Julián

You cannot use the default certificates. You need to acquire an EAP server certificate.

And why it works if I just enable EAP offload?

Regards,
Julián

Works != properly configured and secure

I agree, but I am not asking about best practices in this post as I said at the beginning. Just I want to know the process for educational purposes, as Herman mentioned.

There is nothing unique about this scenario. The supplicant needs to trust the signing CA and common name of the EAP server certificate.

I’m sorry but I will not assist you in setting up an environment incorrectly.

Ok, don't worry. Does anyone know which of its certificates the IAP uses for EAP (Default Server Certificate, Current CP Server Certificate and Device Certificate)?

PD: I don't know why Aruba offers the EAP offload feature if it should never be used.

Regards,
Julián

Julian,

 

The Instant AP uses whatever certificate is built into the Instant AP.  You could choose to change the server certificate by uploading a different auth-server certificate:  https://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#UG_files/Authentication/Certificates.htm?

 

EAP Termination/ EAP Offload are holdovers from many years ago when users did not have radius servers.  Since that Microsoft has been shipping free radius servers for years since Internet Authentication Server, using EAP Offload/EAP Termination and installing software on end devices is no longer a good or viable option, but it is still kept as a feature for the small number of users who continue to use it.  Using a real radius server always has been and continues to be the best option, instead of using termination/eap offload.

 

Whenever users ask to troubleshoot this option, we always steer them toward an actual radius server.  Administrators can choose to do whatever they want, but we will always try to steer them to the better option.

Thanks for the clarification Colin!

Regards,
Julián