Wireless Access

Frequent Contributor II

VIA/Mac OS X/Certificate and radius authentication

Hello all -


We are in the process of implementing an Aruba vpn solution utilizing Clearpass, certificates and radius authentication. We are seeing some issues with the Mac's in the certificate is not being recognized for vpnaccess and is requiring users to actually add the vpnaccess to the certificate prior to being able to connect to the controller. I was wondering if anybody else is seeing the same issue.


Also wondering if anybody is using the VIA client on Linux.


Your input is greatly appreciated.




Re: VIA/Mac OS X/Certificate and radius authentication

Have you referenced the VIA design doc?




It should show you the settings needed for this.  I assume this is TLS authentication?  Is the server cert uploaded to the controller publicly trusted?  I know there is a prompt to download this to the client which seems to be what's happening.  So...if it isn't trusted, then the MAC obviously needs to add the server cert to perform that side of the trust for the authentication.  


Also, please see the following:


Certificate Groups:

In ArubaOS 6.1, the administrator can define multiple IKE server-certificates for Clients using “Certificate Groups”. This solves the problem where multiple VPN Clients in the network are using Certificates issued by different CAs and the Controller has one Server-certificate for IKE. With this feature, the Controller can now configure multiple Server-Certificates for IKE and select the Server-Certificate based on the CA certificate that verifies the Client-certificate.

A “Certificate Group” groups one Server-certificate and one CA-certificate.

First the CA certificate has to be configured in IKE using the existing command: In this example configure two CA certificates.

crypto-local isakmp ca-certificate <ca1>

crypto-local isakmp ca-certificate <ca2>

Then configure the Certificate Group. In this example, configure  one certificate-group for Client-certificates verified by “ca1” and another for Client-certificates verified by “ca2”.

crypto-local isakmp certificate-group server-certificate <s1> ca-certificate <ca1>

crypto-local isakmp certificate-group server-certificate <s2> ca-certificate <ca2>

Each Server certificate defined in the Certificate Group can be used both for IKEv1 and IKEv2.

If the Client-certificate does not match a specific Certificate-Group, then the single Server-certificate that is configured will be used depending on the IKE version.

            crypto-local isakmp server-certificate <s3>

            crypto-local isakmp server-certificate-v2 <s3>


In IKE_AUTH request message, when a certificate request payload is sent, controller receives it and goes through all the certificate groups defined. If a matching CA certificate whose hash of the public key matches the one received in certificate request payload, the corresponding server certificate is sent in IKE_AUTH response. If none of the certificate groups match, the default global server certificate is sent to the peer.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
If you found my post helpful, please give kudos
Frequent Contributor II

Re: VIA/Mac OS X/Certificate and radius authentication

Thank you - We have a vendor doing this install and I"m trying to figure out what isn't working and why. The Mac's download the certificate just fine - it breaks when they are using the VIA client to VPN in - doesn't recognize the certificate, so it doesn't allow access.


I'll read the doc and see if there is something the installer missed.


Thank you!



Search Airheads
Showing results for 
Search instead for 
Did you mean: