EAP TLS Termination

7/28/2019 EAP TLS Termination

1/23

1|P a g e

EAP-TLSTermination


2/23

2|P a g e

TerminationofEAP-TLSonArubaOS3.1

ThissetupforEAP-TLSterminationwasdowiththefollowing

ArubaControllerrunningAOS3.1orgreater Windows2003serverrunningaMicrosoftCertAuthority,IISandactingasaDomain

Controller

JuniperOdysseyAccessClient1. CertificateCreation

a. ServerCertb. TrustedCACert

2. ControllerAuthenticationConfigurationa. ConfigureTLSAAAProfile

3. APConfigurationa. AddTLSVirtualAP

4. ClientConfiguration


3/23

3|P a g e

1. CertificateCreationYouwillneedbothaServerCertandaTrustedCACertforEAP-TLS.

a. ServerCertGenerateaCSRbygoingtotheArubaController:i. Configuration>Management>Certificates>CSRii. Fillinallfieldsandclick>GenerateNew iii. ViewCurrent

iv. Copyentirerequestfrom-----BEGIN.toREQUEST-----


4/23

4|P a g e

v. UsingyourwebbrowsergotoyourMSCertificateServerwiththeurlof

http://x.x.x.x/certsrv

vi. >Requestacertificate


5/23

5|P a g e

vii. Submitacertificaterequestbyusingabase-64-encoded.

viii. PasteinCSRinformation


6/23

6|P a g e

ix. TheCertAdminwillneedtoapprovethependingrequestviatheMSCertAuthority.YoudothisbyrightclickingonitandchoosingIssue


7/23

7|P a g e

x. Youwillnowbeabletowebsurfbacktohttp://x.x.x.x/certsrvanddownloadyourcert.YoushoulduseanamethattellsyouitistheServerCertsoyoudont

getitmixedupwithyourCACert


8/23

8|P a g e

xi. UploadtheServerCerttotheArubaController.1. CertformatisPEM2. CertTypeisServerCert


9/23

9|P a g e

b. TrustedCACerti. FromtheWindows2003servergotoStart>runandtypemmcintotherun

dialogbox.Thiswillbringupthemmcconsole.

ii. gotoFile>addsnap-in iii. AddtheCertificatesnap-inwithComputeraccount

iv. UndertheTrustedRootCertAuth.findyourCert.ThiswascreatedduringtheinstalloftheMSCertServer.

v. Rightclickonittoexportit


10/23

10|P a g e

vi. Exportwithouttheprivatekey


11/23

11|P a g e

vii. Base-64encodedX.509format.AgainnameitwithanamesothatyouknowitistheCACert.


12/23

12|P a g e

viii. UploadtheTrustedCAtotheArubaController.1. CertformatisPEM2. CertTypeisTrustedCA


13/23

13|P a g e

2. ControllerAuthenticationConfigurationa. ConfigureTLSAAAProfile

i. GotoConfiguration>Security>Authentication>Profilesii. ClickonaddatthebottomandcreateanewAAAProfile

iii. ChosetheInitialandDefaultroleyouwanttouse


14/23

14|P a g e

b. 802.1XAuthenticationProfilei. Createanew802.1xauthprofile

ii. EnableTerminationiii. EAP-Typeeap-tlsiv. InnerEAP-Typeeap-tlsv. MakesureyouApplybeforethenextstep


15/23

15|P a g e

vi. GointotheAdvancedtabvii. SelectyourCACertandyourServerCert

viii. IfyouwantacertbasedloginyouwillneedselectTLSGuestAccessandaTLSGuestRole.IfyoudonotselectthisoptionyouwillneedtotieinsometypeofAuthServer


16/23

16|P a g e

c. 802.1XAuthenticationServerGroupi. SelecttheinternalserverastheAuthServerGroup.Idontunderstandwhythisis

requiredforGuestTLSbutitis.Youdonotneedanyusernamesorpasswordsfor

GuestTLS.

3. APConfigurationa. AddTLSVirtualAPb. underConfiguration>APGroup>-addaSSIDc. FromtheAAAProfiledropdownmenuselecttheTLSprofileandapply


17/23

17|P a g e

d. GointothenewvirtualAPandedittheSSIDprofilee. AddaSSIDnamef. SelectWPAandTKIPorWPA2andAESg. Clickonsaveasatthetoprightandgiveitaname.h. Apply

Note:donoteditthedefault


18/23

18|P a g e

4. ClientConfigurationa. Fromyouclientwebsurftoyourcertserver http://x.x.x.x/certsrv b. ClickonRequestacertificate


19/23

19|P a g e

c. SelectWebBrowserCertificate


20/23

20|P a g e

d. Fillinforme. Submit


21/23

21|P a g e

i. TheCertAdminwillneedtoapprovethependingrequestviatheMSCertAuthority.YoudothisbyrightclickingonitandchoosingIssue


22/23

22|P a g e

ii. Youwillnowbeabletowebsurfbacktohttp://x.x.x.x/certsrv andinstallyourcert.


23/23

23|P a g e

Date post:	03-Apr-2018
Category:	Documents
Upload:	wonderousworld
View:	224 times
Download:	0 times

EAP TLS Termination

Documents