Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

password & certificate based authentication

This thread has been viewed 2 times

  • 1.  password & certificate based authentication

    Posted Mar 25, 2015 12:37 AM

    Hi

    our client is an enterprise with a pair of 7210 controllers and many AP225 access points. 

    they would like to deploy a very secure authentication method to :

     

    1- ensure that only clients with installed certificate on their devices can join the network.

    2- ensure teh user supplied credentials (username , password) gets authenticated against the active directory.

     

    I understood that EAP-TLS supports only certificate based authentication without checking the username , password and other authentication methods which support password authentication does not support mutual certificate authentication.   so I would like to know how the customer can have both User/password AND certificate based authentication for its users.

     

    appriciate your replies.

    Reza

     

     


    #7210
    #AP225


  • 2.  RE: password & certificate based authentication

    Posted Mar 25, 2015 05:50 AM

    Hi,

    your requirement can be fulfilled with dot1x with EAP-TLS, MSCHAP V2.

    In this auth process, secure tunnel will be created by using EAP-TLS ( with client and server certificate) and then user credentials will be shared through the secure tunnel with MSCHAP.

     

    User should be authenticated with AD or LDAP or some other depends on the server group you have configured and mapped to the AAA profile.

     

    Please feel free still if you need more clarity on this.

     



  • 3.  RE: password & certificate based authentication

    Posted Mar 25, 2015 07:22 AM

    HI Venu

     

    thanks for your reply. I would like to do the same. can you help me to understand more:

     

    1- do I need to terminate the eap on controller or Radius? 

    2- how to configure the controller to use both EAP-TLS and MSCHAPv2 for authentication? 

    3- can I use the single Radius (NPS) on windows server 2012?

     

    Im running aruba os 6.4

     

    Thanks

    Reza

     



  • 4.  RE: password & certificate based authentication

    EMPLOYEE
    Posted Mar 25, 2015 08:06 AM
    The only way you can currently do this is to use EAP-TLS and then have the user authenticate to a captive portal with their username and password.

    The idea with certificate authentication is to eliminate passwords.


    Thanks,
    Tim


  • 5.  RE: password & certificate based authentication

    Posted Mar 25, 2015 08:23 AM

    Hi,

    If you don't have a valid server certificate, you have to terminate it on the controller other wise terminate it on the server.

    Configuration depends on your termination, if you terminate it on the controller, you have to select outer and inner type as shown in the pic,

     

    EAP1.png

     

    Else if you terminate on the server, you need to configure it on the server and Client and server will negotiate and use one of the available inner tunnel ( PAP/MSCHAP).

     

    If you want server failover you need to configure multiple servers otherwise single server should be ok. you can configure servers and map them to server group and group to AAA profile.

     

    Hope you got some clarity, if not feel free to come back.



  • 6.  RE: password & certificate based authentication

    EMPLOYEE
    Posted Mar 25, 2015 08:27 AM
    Using EAP-PEAP or EAP-TTLS is not dual factor. Those methods use a certificate he server's identity only. It is not mutual.

    Also, you should never have validate server certificate unchecked in a production envinronment.


    Thanks,
    Tim


  • 7.  RE: password & certificate based authentication

    Posted Mar 25, 2015 08:49 AM

    HI Venu

     

    I dont want to terminate it on the controller, would like to use external windows Radius server. 

    in this case how do I need to configure the controller? just to send to Radius server?

    what configuration needs to be applied on Server and Client?

     

    I have openned a ticket with Aruba also, but they are saying that its not possible. :(



  • 8.  RE: password & certificate based authentication

    EMPLOYEE
    Posted Mar 25, 2015 09:03 AM

    TAC is correct. This is not possible natively without layering on a captive portal.



  • 9.  RE: password & certificate based authentication

    Posted Mar 25, 2015 09:08 AM

    Thanks Tim. 

    I think its clear. the certificate based and tunneling based EAP are different and cannot get mixed.

     

     

    eap.JPG



  • 10.  RE: password & certificate based authentication

    Posted Mar 25, 2015 09:21 AM

    Hi,

     

    If you don't terminate on the controller, you don't need to configure any thing on the controller because traffic is not visible to the controller (it will pass trough the controller ) that is the primary objective of creating secure tunnel between Client and the controller.

    Coming to the config at client and the server side,

    Client :

    Step 1 :

    Open the WL client connection profile and select "Security " tab and select the EAP type as shown in the pic.

    EAP_2.png

    Step 2 :

    Click on settings and select "user Authentication Methods" as "EAP-MSCHAP V2" as shown in the pic

    EAP3.png

     

    In the server, I have snapshots for IAS, should be same for NPS as well.

    Select remote access policy-->edit profile-->Authentication-->EAP methods as shown in the pic.

    EAP4.png

    Try and let me know if you need any further help on this.