Wireless Access

Hey everyone,

I'm sorry to kinda hi-jack this topic but since I ran into the exact same problem and no (working) solution was provided other than ariyap's proposal I wanted to pick this up again.

For a test I'm conducting I'm using a working and productive NPS installation (runs with FortiAP devices) and wanted to test RADIUS integration with a single aruba AP-505 device. It is fully up-to-date and runs a virtual controller that is successfully registered in Aruba Central.

When moving the slider in the Security tab to "Open" it will work, obviusly not prompting for anything, but when moving it to "Enterprise" and pointing it to the RADIUS server it does no longer work. And just to be clear: of course the Primary server is listed and set up, as mentioned it's in use but the thing I stumbled over is that when trying to access the newly created network it will show me a certificate warning and the certificate provided is not the one set up in RADIUS, instead I see a local certificate held on the AP-505 device.

Now certainly something is messed up here, but I am not the expert who knows what to expect: authentication is certificate based and certificate is installed locally (works with a current profile running FortiAP).

Why am I presented with a local AP certificate? Is that even "normal"? Do I have to modify the local AP (when test is done it will be 20+ further devices) maually?

Sorry for the questions but either I didn't find the proper documentation or it is not documented in much detail at all; also support didn't provide me with a solution so far.

Any help is much appreciated!
BR
 

if you configure the WLAN for dot1x auth (Security Level = Enterprise) then the client that connects to that SSID shoud not get prompted for a certificate by the Instant AP. The certificate checks are between the RADIUS server and the Client.
The only case when IAP will present a certificate for RADIUS auth, is if it is configured for EAP offload


see if this is enable, if you dont need it disable it.

Hey everyone,

I'm sorry to kinda hi-jack this topic but since I ran into the exact same problem and no (working) solution was provided other than ariyap's proposal I wanted to pick this up again.

For a test I'm conducting I'm using a working and productive NPS installation (runs with FortiAP devices) and wanted to test RADIUS integration with a single aruba AP-505 device. It is fully up-to-date and runs a virtual controller that is successfully registered in Aruba Central.

When moving the slider in the Security tab to "Open" it will work, obviusly not prompting for anything, but when moving it to "Enterprise" and pointing it to the RADIUS server it does no longer work. And just to be clear: of course the Primary server is listed and set up, as mentioned it's in use but the thing I stumbled over is that when trying to access the newly created network it will show me a certificate warning and the certificate provided is not the one set up in RADIUS, instead I see a local certificate held on the AP-505 device.

Now certainly something is messed up here, but I am not the expert who knows what to expect: authentication is certificate based and certificate is installed locally (works with a current profile running FortiAP).

Why am I presented with a local AP certificate? Is that even "normal"? Do I have to modify the local AP (when test is done it will be 20+ further devices) maually?

Sorry for the questions but either I didn't find the proper documentation or it is not documented in much detail at all; also support didn't provide me with a solution so far.

Any help is much appreciated!
BR
 

Dear @ariyap,

thank you for your input, it is highly appreciated.

Your summary is what I expected, too: no certificate message should be shown, as negotiation happens between the client and NPS/RADIUS, so auto-connect should be working as it does with APs from another vendor (as the machine certificate is already in place) – but even with EAP offload set to 'disable' I see this AP 's certificate, it's not transparent and I don't get why! 🤨 (latest FW installed).

Does it mean that I'll have to manually add the certificate on the AP nonetheless, maybe?
I can't look into Aruba Central today unfortunately, but tomorow I can grab additional screenshots.

BR

if you configure the WLAN for dot1x auth (Security Level = Enterprise) then the client that connects to that SSID shoud not get prompted for a certificate by the Instant AP. The certificate checks are between the RADIUS server and the Client.
The only case when IAP will present a certificate for RADIUS auth, is if it is configured for EAP offload


see if this is enable, if you dont need it disable it.

Hey everyone,

I'm sorry to kinda hi-jack this topic but since I ran into the exact same problem and no (working) solution was provided other than ariyap's proposal I wanted to pick this up again.

For a test I'm conducting I'm using a working and productive NPS installation (runs with FortiAP devices) and wanted to test RADIUS integration with a single aruba AP-505 device. It is fully up-to-date and runs a virtual controller that is successfully registered in Aruba Central.

When moving the slider in the Security tab to "Open" it will work, obviusly not prompting for anything, but when moving it to "Enterprise" and pointing it to the RADIUS server it does no longer work. And just to be clear: of course the Primary server is listed and set up, as mentioned it's in use but the thing I stumbled over is that when trying to access the newly created network it will show me a certificate warning and the certificate provided is not the one set up in RADIUS, instead I see a local certificate held on the AP-505 device.

Now certainly something is messed up here, but I am not the expert who knows what to expect: authentication is certificate based and certificate is installed locally (works with a current profile running FortiAP).

Why am I presented with a local AP certificate? Is that even "normal"? Do I have to modify the local AP (when test is done it will be 20+ further devices) maually?

Sorry for the questions but either I didn't find the proper documentation or it is not documented in much detail at all; also support didn't provide me with a solution so far.

Any help is much appreciated!
BR