Date post: | 03-Apr-2018 |
Category: |
Documents |
Upload: | wonderousworld |
View: | 224 times |
Download: | 0 times |
of 23
7/28/2019 EAP TLS Termination
1/23
1|P a g e
EAP-TLSTermination
7/28/2019 EAP TLS Termination
2/23
2|P a g e
TerminationofEAP-TLSonArubaOS3.1
ThissetupforEAP-TLSterminationwasdowiththefollowing
ArubaControllerrunningAOS3.1orgreater Windows2003serverrunningaMicrosoftCertAuthority,IISandactingasaDomain
Controller
JuniperOdysseyAccessClient1. CertificateCreation
a. ServerCertb. TrustedCACert
2. ControllerAuthenticationConfigurationa. ConfigureTLSAAAProfile
3. APConfigurationa. AddTLSVirtualAP
4. ClientConfiguration
7/28/2019 EAP TLS Termination
3/23
3|P a g e
1. CertificateCreationYouwillneedbothaServerCertandaTrustedCACertforEAP-TLS.
a. ServerCertGenerateaCSRbygoingtotheArubaController:i. Configuration>Management>Certificates>CSRii. Fillinallfieldsandclick>GenerateNew iii. ViewCurrent
iv. Copyentirerequestfrom-----BEGIN.toREQUEST-----
7/28/2019 EAP TLS Termination
4/23
4|P a g e
v. UsingyourwebbrowsergotoyourMSCertificateServerwiththeurlof
http://x.x.x.x/certsrv
vi. >Requestacertificate
7/28/2019 EAP TLS Termination
5/23
5|P a g e
vii. Submitacertificaterequestbyusingabase-64-encoded.
viii. PasteinCSRinformation
7/28/2019 EAP TLS Termination
6/23
6|P a g e
ix. TheCertAdminwillneedtoapprovethependingrequestviatheMSCertAuthority.YoudothisbyrightclickingonitandchoosingIssue
7/28/2019 EAP TLS Termination
7/23
7|P a g e
x. Youwillnowbeabletowebsurfbacktohttp://x.x.x.x/certsrvanddownloadyourcert.YoushoulduseanamethattellsyouitistheServerCertsoyoudont
getitmixedupwithyourCACert
7/28/2019 EAP TLS Termination
8/23
8|P a g e
xi. UploadtheServerCerttotheArubaController.1. CertformatisPEM2. CertTypeisServerCert
7/28/2019 EAP TLS Termination
9/23
9|P a g e
b. TrustedCACerti. FromtheWindows2003servergotoStart>runandtypemmcintotherun
dialogbox.Thiswillbringupthemmcconsole.
ii. gotoFile>addsnap-in iii. AddtheCertificatesnap-inwithComputeraccount
iv. UndertheTrustedRootCertAuth.findyourCert.ThiswascreatedduringtheinstalloftheMSCertServer.
v. Rightclickonittoexportit
7/28/2019 EAP TLS Termination
10/23
10|P a g e
vi. Exportwithouttheprivatekey
7/28/2019 EAP TLS Termination
11/23
11|P a g e
vii. Base-64encodedX.509format.AgainnameitwithanamesothatyouknowitistheCACert.
7/28/2019 EAP TLS Termination
12/23
12|P a g e
viii. UploadtheTrustedCAtotheArubaController.1. CertformatisPEM2. CertTypeisTrustedCA
7/28/2019 EAP TLS Termination
13/23
13|P a g e
2. ControllerAuthenticationConfigurationa. ConfigureTLSAAAProfile
i. GotoConfiguration>Security>Authentication>Profilesii. ClickonaddatthebottomandcreateanewAAAProfile
iii. ChosetheInitialandDefaultroleyouwanttouse
7/28/2019 EAP TLS Termination
14/23
14|P a g e
b. 802.1XAuthenticationProfilei. Createanew802.1xauthprofile
ii. EnableTerminationiii. EAP-Typeeap-tlsiv. InnerEAP-Typeeap-tlsv. MakesureyouApplybeforethenextstep
7/28/2019 EAP TLS Termination
15/23
15|P a g e
vi. GointotheAdvancedtabvii. SelectyourCACertandyourServerCert
viii. IfyouwantacertbasedloginyouwillneedselectTLSGuestAccessandaTLSGuestRole.IfyoudonotselectthisoptionyouwillneedtotieinsometypeofAuthServer
7/28/2019 EAP TLS Termination
16/23
16|P a g e
c. 802.1XAuthenticationServerGroupi. SelecttheinternalserverastheAuthServerGroup.Idontunderstandwhythisis
requiredforGuestTLSbutitis.Youdonotneedanyusernamesorpasswordsfor
GuestTLS.
3. APConfigurationa. AddTLSVirtualAPb. underConfiguration>APGroup>-addaSSIDc. FromtheAAAProfiledropdownmenuselecttheTLSprofileandapply
7/28/2019 EAP TLS Termination
17/23
17|P a g e
d. GointothenewvirtualAPandedittheSSIDprofilee. AddaSSIDnamef. SelectWPAandTKIPorWPA2andAESg. Clickonsaveasatthetoprightandgiveitaname.h. Apply
Note:donoteditthedefault
7/28/2019 EAP TLS Termination
18/23
18|P a g e
4. ClientConfigurationa. Fromyouclientwebsurftoyourcertserver http://x.x.x.x/certsrv b. ClickonRequestacertificate
7/28/2019 EAP TLS Termination
19/23
19|P a g e
c. SelectWebBrowserCertificate
7/28/2019 EAP TLS Termination
20/23
20|P a g e
d. Fillinforme. Submit
7/28/2019 EAP TLS Termination
21/23
21|P a g e
i. TheCertAdminwillneedtoapprovethependingrequestviatheMSCertAuthority.YoudothisbyrightclickingonitandchoosingIssue
7/28/2019 EAP TLS Termination
22/23
22|P a g e
ii. Youwillnowbeabletowebsurfbacktohttp://x.x.x.x/certsrv andinstallyourcert.
7/28/2019 EAP TLS Termination
23/23
23|P a g e