Wireless Access

Hi All, 

I've got a client that is looking for the below solution:

SSID-1 - (Corporate Devices managed by InTune) - WPA3-Enterprise with certificate-based authentication using their own CA and RadSec. 

SSID-2 - (BYOD devices belonging to staff) - WPA3-Enterprise with Azure AD via Aruba Cloud Authentication (Aruba Cloud Authentication and Policy Overview (arubanetworks.com)). Users will authenticate using their organization's O365 credentials. 

SSID-1 is working well and has no issues. When we configure SSID-2, authentication is timing out which is due to the AP using the server-certificate and CA we have configured under Group>Devices>Access Points>Security>Certificate Usage. Changing this to use the "default" certificate as per below screenshot resolves the issue but then SSID-1 stops working since it can't authenticate itself. 

Does anyone know if it's possible to have two WPA3-Enterprise networks and have each use it's own server-certificate and CA for authentication all within the same Central Group?

Thank you

What is the authentication server for SSID1?

And are you using RadSec?

Cloud Authentication and Policy uses RadSec for the communication with Central. If you change the RadSec CA or RadSec Client Cert, that communciation will break and users cannot authenticate anymore. As of today you cannot have multiple RadSec Client or CA certificates on your APs or gateways.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 21, 2023 06:30 PM
From: ga123
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

Hi All, 

I've got a client that is looking for the below solution:

SSID-1 - (Corporate Devices managed by InTune) - WPA3-Enterprise with certificate-based authentication using their own CA and RadSec. 

SSID-2 - (BYOD devices belonging to staff) - WPA3-Enterprise with Azure AD via Aruba Cloud Authentication (Aruba Cloud Authentication and Policy Overview (arubanetworks.com)). Users will authenticate using their organization's O365 credentials. 

SSID-1 is working well and has no issues. When we configure SSID-2, authentication is timing out which is due to the AP using the server-certificate and CA we have configured under Group>Devices>Access Points>Security>Certificate Usage. Changing this to use the "default" certificate as per below screenshot resolves the issue but then SSID-1 stops working since it can't authenticate itself. 

Does anyone know if it's possible to have two WPA3-Enterprise networks and have each use it's own server-certificate and CA for authentication all within the same Central Group?

Thank you

To add to that, RadSec is just for the communication between your controller/AP and your authentication servers (RADIUS/ClearPass/Cloud Auth/etc).

You can have different server and client CAs, which are handled in the authentication server. But it seems like your issue is about the Radius/RadSec communication broken to different servers.

What is the authentication server for SSID1?

And are you using RadSec?

Cloud Authentication and Policy uses RadSec for the communication with Central. If you change the RadSec CA or RadSec Client Cert, that communciation will break and users cannot authenticate anymore. As of today you cannot have multiple RadSec Client or CA certificates on your APs or gateways.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 21, 2023 06:30 PM
From: ga123
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

Hi All, 

I've got a client that is looking for the below solution:

SSID-1 - (Corporate Devices managed by InTune) - WPA3-Enterprise with certificate-based authentication using their own CA and RadSec. 

SSID-2 - (BYOD devices belonging to staff) - WPA3-Enterprise with Azure AD via Aruba Cloud Authentication (Aruba Cloud Authentication and Policy Overview (arubanetworks.com)). Users will authenticate using their organization's O365 credentials. 

SSID-1 is working well and has no issues. When we configure SSID-2, authentication is timing out which is due to the AP using the server-certificate and CA we have configured under Group>Devices>Access Points>Security>Certificate Usage. Changing this to use the "default" certificate as per below screenshot resolves the issue but then SSID-1 stops working since it can't authenticate itself. 

Does anyone know if it's possible to have two WPA3-Enterprise networks and have each use it's own server-certificate and CA for authentication all within the same Central Group?

Thank you

To add to that, RadSec is just for the communication between your controller/AP and your authentication servers (RADIUS/ClearPass/Cloud Auth/etc).

You can have different server and client CAs, which are handled in the authentication server. But it seems like your issue is about the Radius/RadSec communication broken to different servers.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 22, 2023 08:46 AM
From: Herman Robers
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

What is the authentication server for SSID1?

And are you using RadSec?

Cloud Authentication and Policy uses RadSec for the communication with Central. If you change the RadSec CA or RadSec Client Cert, that communciation will break and users cannot authenticate anymore. As of today you cannot have multiple RadSec Client or CA certificates on your APs or gateways.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 21, 2023 06:30 PM
From: ga123
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

Hi All, 

I've got a client that is looking for the below solution:

SSID-1 - (Corporate Devices managed by InTune) - WPA3-Enterprise with certificate-based authentication using their own CA and RadSec. 

SSID-2 - (BYOD devices belonging to staff) - WPA3-Enterprise with Azure AD via Aruba Cloud Authentication (Aruba Cloud Authentication and Policy Overview (arubanetworks.com)). Users will authenticate using their organization's O365 credentials. 

SSID-1 is working well and has no issues. When we configure SSID-2, authentication is timing out which is due to the AP using the server-certificate and CA we have configured under Group>Devices>Access Points>Security>Certificate Usage. Changing this to use the "default" certificate as per below screenshot resolves the issue but then SSID-1 stops working since it can't authenticate itself. 

Does anyone know if it's possible to have two WPA3-Enterprise networks and have each use it's own server-certificate and CA for authentication all within the same Central Group?

Thank you

Is this related to the same issue I've seen when attempting to use RADSEC with SSID-1 and Aruba's Guest Captive Portal on SSID-2? 

Regards, Mike 


Original Message:
Sent: Aug 22, 2023 08:53 AM
From: Herman Robers
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

To add to that, RadSec is just for the communication between your controller/AP and your authentication servers (RADIUS/ClearPass/Cloud Auth/etc).

You can have different server and client CAs, which are handled in the authentication server. But it seems like your issue is about the Radius/RadSec communication broken to different servers.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 22, 2023 08:46 AM
From: Herman Robers
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

What is the authentication server for SSID1?

And are you using RadSec?

Cloud Authentication and Policy uses RadSec for the communication with Central. If you change the RadSec CA or RadSec Client Cert, that communciation will break and users cannot authenticate anymore. As of today you cannot have multiple RadSec Client or CA certificates on your APs or gateways.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 21, 2023 06:30 PM
From: ga123
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

Hi All, 

I've got a client that is looking for the below solution:

SSID-1 - (Corporate Devices managed by InTune) - WPA3-Enterprise with certificate-based authentication using their own CA and RadSec. 

SSID-2 - (BYOD devices belonging to staff) - WPA3-Enterprise with Azure AD via Aruba Cloud Authentication (Aruba Cloud Authentication and Policy Overview (arubanetworks.com)). Users will authenticate using their organization's O365 credentials. 

SSID-1 is working well and has no issues. When we configure SSID-2, authentication is timing out which is due to the AP using the server-certificate and CA we have configured under Group>Devices>Access Points>Security>Certificate Usage. Changing this to use the "default" certificate as per below screenshot resolves the issue but then SSID-1 stops working since it can't authenticate itself. 

Does anyone know if it's possible to have two WPA3-Enterprise networks and have each use it's own server-certificate and CA for authentication all within the same Central Group?

Thank you

If you refer to RadSec to one RADIUS server for 802.1X and Cloud Guest (RadSec to the Central Cloud); then that may be the case. If the RadSec is to the same server (same RadSec server certificate) it may not be related.

What is the issue that you have?

Is this related to the same issue I've seen when attempting to use RADSEC with SSID-1 and Aruba's Guest Captive Portal on SSID-2? 

Regards, Mike 


Original Message:
Sent: Aug 22, 2023 08:53 AM
From: Herman Robers
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

To add to that, RadSec is just for the communication between your controller/AP and your authentication servers (RADIUS/ClearPass/Cloud Auth/etc).

You can have different server and client CAs, which are handled in the authentication server. But it seems like your issue is about the Radius/RadSec communication broken to different servers.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 22, 2023 08:46 AM
From: Herman Robers
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

What is the authentication server for SSID1?

And are you using RadSec?

Cloud Authentication and Policy uses RadSec for the communication with Central. If you change the RadSec CA or RadSec Client Cert, that communciation will break and users cannot authenticate anymore. As of today you cannot have multiple RadSec Client or CA certificates on your APs or gateways.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 21, 2023 06:30 PM
From: ga123
Subject: WPA2/3-Enterprise - Two different client certificates for two different SSIDs

Hi All, 

I've got a client that is looking for the below solution:

SSID-1 - (Corporate Devices managed by InTune) - WPA3-Enterprise with certificate-based authentication using their own CA and RadSec. 

SSID-2 - (BYOD devices belonging to staff) - WPA3-Enterprise with Azure AD via Aruba Cloud Authentication (Aruba Cloud Authentication and Policy Overview (arubanetworks.com)). Users will authenticate using their organization's O365 credentials. 

SSID-1 is working well and has no issues. When we configure SSID-2, authentication is timing out which is due to the AP using the server-certificate and CA we have configured under Group>Devices>Access Points>Security>Certificate Usage. Changing this to use the "default" certificate as per below screenshot resolves the issue but then SSID-1 stops working since it can't authenticate itself. 

Does anyone know if it's possible to have two WPA3-Enterprise networks and have each use it's own server-certificate and CA for authentication all within the same Central Group?

Thank you