Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Certificate problem

This thread has been viewed 0 times

  • 1.  Certificate problem

    Posted Jun 19, 2013 03:32 PM

    I am running into a problem trying to join a wireless network using eap-tls.  I have my own CA (openssl) that I have signed certs with, I have an original cert and one the was created about a year later with the same process both signed by the same CA.  When I load the original cert along with the CA cert onto an ipad I can connect.  When I load the new cert on with the CA cert I get an unable to join the network.  

     

    I am not running a Radius server to the best of my knowledge.  I was looking through the debug logs and it looks like everything is the same between the device authentication with the different certs up until the point that it give a IP address.  The new cert gives the device a 0.0.0.0 where as the old one gives it a vaild IP address..

     

    I also noticed when I try and load the new cert I get a mon_mgr_thread_dev_add: dev sta inst "MAC ADDRESS HERE" already exists.  Is the Aruba Network storing the association of the old cert with the MAC and that is causing issues.  It is also giving the device no matter what cert the same name and that is the name of the original cert.

     

    Any information on this topic would be helpful



  • 2.  RE: Certificate problem

    EMPLOYEE
    Posted Jun 24, 2013 08:53 PM

    You must be clear about what you are doing.  There is a difference between client cert, CA cert, and server cert.  When you say new cert and old cert, you have to say what types so we know what steps you are taking.



  • 3.  RE: Certificate problem

    Posted Jun 25, 2013 06:59 AM

    I am using the same CA cert and server cert.  I have tried to create new client certs that are not working with the old server/CA certs.  The new and old client certs both verify in openssl when I run checks on them that they are signed by the correct CA.

     

    I have also updated the CRL.  On the controller sits the CA trusted cert, a Server cert, and an updated CRL.  On the wireless device there is the CA trusted cert and the new and old client certs.  The old client certs allow the device to connect to the network, and the new certs do not allow the device to connect to the network.

     

    Thanks,

    Dan



  • 4.  RE: Certificate problem

    EMPLOYEE
    Posted Jun 25, 2013 07:05 AM

    You will probably have to open a support case.  If the only thing you changed is the CRL, that is where I would start.