Wireless Access

Community,

I am having great difficulty in getting the certificates to work between my Aruba WLC and my Windows RADIUS server. I dont know if this is an issue with my internal Cert server or what but here is what I did.

1) On the WLC I went to Certificates and generated a CSR

2) Copied the RSA has starting with -----BEGIN CERTIFICATE REQUEST----- and ending with -----END CERTIFICATE REQUEST-----

3) I went to my internal Windows Cert server and submitted the CSR to it to generate the certificate. The cert server didnt seem to have an issue creating the cert.

4) I uploaded the signed cert from my machine to the WLC using the PEM cert format and the "server cert" certificate type. I also uploaded the root certificate as "TrustedCA" cert

5) I imported the cert into the Personal Certificate folder of my RADIUS server.

6) In the PEAP settings in the RADIUS server I used the dropdown and selected the new cert to be used for that RADIUS Network Policy

When I try to connect to the 802.1x WLAN I have set up, it wont connect and in the Event Viewer of the Windows server it says: "The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure."

I understand this isnt a Microsoft forum but was hoping maybe somebody has ran into this before. Im at a complete loss here. Im pretty sure the Radius policies are se up correctly and i do have the WLC entered into the Radius server as an approved NAS, the passwords are correct etc. 

Any thoughts? Im willing to answer as many questions as needed about my environment to get this resolved. Thanks.

The certificate is only used on the RADIUS server. In your case, you did the CSR on the controller, so the private key only exists on the controller.

You need to do the CSR on the RADIUS server and then install the certificate. The controller is not involved.

Tim,

Thank you for such a quick response! That makes complete sense as in PEAP only the RADIUS server needs to present the certificate. In this case im assuming the WLC is validating the certificate on the clients behalf? 

No, the controller is EAP agnostic and simply passes it to the RADIUS server. The trust is between the client and RADIUS server (and also the TLS tunnel).

Tim,

So in the PEAP scenario, do you see any reason to enter a cert in the WLC under 

Authentication>L2 Authentication>802.1x Authentication>Advanced>Server Certificate ?

For some reason I was under the impression that this was necessary. I did upload the RootCA cert just fine and have selected it in the CA-Certificate drop down under the "L2 Authentication" Advanced tab. 

Thanks.

No. That's only when using EAP termination which is not recommended if you have a RADIUS server.

Tim,

Thanks so much for your help. I took you advice, i went ahead and generated a cert request on my new RADIUS from the "Personal" folder in the Cert MMC and then selected that Cert under my PEAP profile. It Works! I was able to connect to the 802.1x WLAN using the cert! Thanks again! 

Hi there, im facing the same issue where the 802.1x is working fine when its EAP termantion happening in the controller and its not working with my windows radius NPS . wild card certificate is installed on both controllers and nps when i change the termination to windows server it shows negoation faild, negotiation failed no available eap methods , is there any proper document for integration aruba controller with windows radius . i have check alot of articles and i follow but still the authentication is not happening 

Yes, there is:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/Step-by-Step-How-to-Configure-Microsoft-NPS-2008-Radius-Server/m-p/14392/highlight/true#M6113

Also, don't use wildcard certificates for PEAP.  

When terminating EAP at the Micorsoft NPS, make sure that the cert youre using is trusted by the client. When using PEAP, only the server certficate is verified, the client does not need to present a cert. At a minimum, the client must trust the CA who signed the cert that the Microsoft NPS is using. meaning, that the cert the NPS is presenting to the client must be signed by a CA that is in the clients Trusted Cert Store. When terminating EAP at the NPS there is no need to upload any certs at all to the Controller as the Controller is now acting as a NAS (or Authenticator) instead of an Authentication Server. 

HTH.

Chris Craddock.