Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Instant 802.1x Supplication

This thread has been viewed 7 times

  • 1.  Instant 802.1x Supplication

    Posted Dec 01, 2017 08:01 AM

    I am testing iAP 802.1x supplicant to authenticate the AP on an ethernet interface that has been secured with 802.1x. It is straight forward for PEAP, I enable PEAP in the System settings then configure the User/Pass in the AP settings and it works fine.

     

    EAP-TLS is a little more difficult. I was hoping that I could use the built-in  TPM engine to generate and use a built-in User Private Key during the authentication. On the 215/225 model I am testing with, the only option is to use a User Cert. I beleive this means I will need to use an external CA to generate a certificate for each individual AP and upload each cert to each AP. 

     

    Anyone have any tips? The CLI does show support for TPM (ap1x tls tpm) but no option in GUI which leads me to beleive it is either not supported on this model or it is not a functional option yet. 

     

    Running 6.5.4 release



  • 2.  RE: Instant 802.1x Supplication

    Posted Dec 01, 2017 08:07 AM

    Think through this a little more... Generating a unique cert wont do any good. I need to generate or upload a Key. Not sure how to go about that. 



  • 3.  RE: Instant 802.1x Supplication
    Best Answer

    EMPLOYEE
    Posted Dec 04, 2017 09:23 AM

    TLS authentication with the TPM certificate, where you install the Aruba AP root CA into your ClearPass or other RADIUS server, is available in the controller version of ArubaOS 8.2. It might come to the Instant AP in the future given the message that is shown when you try to configure it via the CLI:

    does not support tpm yet!

    TLS with uploaded client certificates was implemented in earlier versions but seems to unavailable on 6.5.4.

     

    Your Aruba partner or Aruba SE can help you with requesting this feature or finding out if it is on the roadmap.



  • 4.  RE: Instant 802.1x Supplication

    Posted Dec 04, 2017 02:42 PM

    Thanks Herman!

     

    We are an Aruba Partner and just wanted to be sure I wasnt missing something. 

     

    Thanks



  • 5.  RE: Instant 802.1x Supplication

    Posted Dec 04, 2017 02:44 PM

    We have been doing a lot of Wired 802.1x deployments lately and this would be helpful in such deployments. 



  • 6.  RE: Instant 802.1x Supplication

    Posted Aug 20, 2018 11:14 AM

    I tested this today with an IAP-315 running Aruba Instant version 8.3.0.1 today and it still does not allow ap1x to use the TPM certificate.  I am doing some extensive testing with wired 802.1x and ClearPass and was really hoping that this feature would work out of the box.  I would like to see if it would be added and possibly even ported back to 6.5.x since 8.3 removed hardware support for hardware such as the IAP-205. 



  • 7.  RE: Instant 802.1x Supplication

    EMPLOYEE
    Posted Aug 20, 2018 11:16 AM

    This is on available on controller platforms. Submit a feature request if you'd like to see it on Instant.



  • 8.  RE: Instant 802.1x Supplication

    Posted Aug 20, 2018 01:01 PM

    I posted https://innovate.arubanetworks.com/ideas/WLAN-I-946 so please vote on it if you think this feature is worthwhile.