Aos & cppm integration & testing document for eap tls & eap peap

AOS & CPPM INTEGRATION
CONFIGURATION & TESTING
EAP TLS & EAP PEAP
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
by
Abilash Soundararajan

EAP-TLS

Certificate Requirements for EAP-TLS architecture
(EAP tunnel termination on CPPM)
User Certificate
Root CA Cert
Signing CA Cert
Radius CA Cert
Root CA in Trusted
Root CA list

Certificate Requirements for EAP-TLS architecture
(EAP tunnel termination on Controller)
User Certificate
Server Cert
Trusted CA Cert
Root CA Cert
Signing CA Cert
Root CA in Trusted
Root CA list

SETTING UP EAP-TLS
TERMINATION ON CPPM

Steps for EAP-TLS (Termination on CPPM)
• Creating CA & Signing CA on CPPM
• Configuring Controller
– SSID profile
– Dot1x profile
– Server & Server Group
– AAA profile
– VAP Profile
–Mapping to AP-group
• Configuring Device & Services in CPPM
• Creating CSR, Radius cert and uploading it
• Creating User in CPPM
• Creating Client Certificates
• Checking Access Tracker
• Troubleshooting from Controller

Creating CA & Signing CA on CPPM

Checking CA cert info

Configuring Controller – SSID profile

Configuring Controller – Dot1x profile

Configure server info and map to server group

Mapping Dot1x, AAA & SSID profiles
Mapping Do1x to AAA profile Mapping AAA & SSID to VAP Profile
Add this VAP to the AP-group that needs this SSID.

Add Controller to the devices in CPPM

Creating an Enforcement Policy

Creating Enforcement Policy Rules
• There are different ways of doing this step.
• In this case we are going to check, if the Certificate submitted by client for
authentication has in its common name “Company_ABCD”, which is also in our
list of Signing CAs.

Creating Service in CPPM to cater to EAP-TLS
requests
Adding ESSID name to the list of conditions to be checked
to match this Service.

Adding necessary Authentication Methods &
Sources necessary

Mapping the Enforcement Profile configured

Creating CSR for RADIUS server
Note: Need to download 2 files. “CertSignRequest.csr” & “CertPrivKey.pkey”

Creating Radius server cert with corresponding CA

Uploading the Radius server cert to Server Certs

New Radius certificate seen in the Server Certs

Creating User certificates

Checking Certificates created and Exporting Client
certificate
Exporting Client Certificate with private key, secured with a Passphrase

Installing the Client certificate on the end device

Creating the user in the Local user database (as CN
of the user will be checked in Local DB)

Troubleshooting Radius Service from Controller
• Current service will not help in doing aaa test-server
– As its only meant for EAP-TLS & EAP-PEAP
• Below addition in services can help in doing an MSChapv2 as well
– Disable it post testing for stricter security compliance

Checking logs on CPPM for successful test
authentication

Checking logs on Controller for Successful/ failed
test authentication
(Master) #show log security 30 | include User,server,fail
Aug 4 10:55:53 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0
Aug 4 10:55:53 :124019: <INFO> |authmgr| Test server response: Authentication Successful
Aug 4 11:02:52 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPM
Aug 4 11:02:57 :124019: <INFO> |authmgr| Test server response: Authentication failed
Aug 4 11:06:20 :121041: <DBUG> |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found.

Download & Install Root CA Certificate to the list of
Trusted CAs in the EAP-TLS client

Server Validation settings in Client

Choosing Client cert for authenticating while
connecting & Successful Authentication

Checking Security logs for the EAP-TLS event

Checking logs in Access Tracker (CPPM)

Client Attributes sent and Authentication Sources
used

EAP-TLS WITH TERMINATION
ON CONTROLLER

Create Server certificate for Controller – Generate
CSR for controller

Generate certificate for WLAN controller using CSR

Upload the certificate to the controller as Server
certificate and also the CA certs

Map the certificates to Dot1x profile and enable
Termination

Configuring CPPM Service

Configuring Authentication Method for Service

Enforcement policy for Service

Ensure that you have User in the DB with the same
Name as CN in the User cert

Controller Side verification – auth-tracebuf

Controller side log verification – Security logs

Checking logs in the Access Tracker (CPPM)

EAP-PEAP

Certificate Requirements for EAP-PEAP architecture
(EAP tunnel termination on CPPM)
Root CA Cert
Username: Employee1
Password:xxxxxx
Root CA in Trusted Signing CA Cert
Radius CA Cert
Root CA list

Certificate Requirements for EAP-PEAP architecture
(EAP tunnel termination on Controller)
Server Cert
Trusted CA Cert
Root CA Cert
Username: Employee1
Password:xxxxxx
Root CA in Trusted Signing CA Cert
Root CA list

EAP-PEAP WITH
TERMINATION ON CPPM

No change in controller config when compared to
EAP-TLS setup (Termination on CPPM)
Option disabled as termination is disabled

Only change in CPPM Service config when compared
to EAP-TLS (Termination on CPPM)

Client config for EAP-PEAP (Auth Method, Server
Certificate & Trusted Root CA)

Checking the steps of EAP-PEAP with termination
on CPPM

Checking controller logs for EAP-PEAP
authentication

Checking authentication logs at Access Tracker
(CPPM)

Access Tracker showing Outer and Inner EAP
tunnel methods

EAP-PEAP WITH TERMINATION ON
CONTROLLER

Only change from EAP-TLS (with termination on
controller) in config for EAP-PEAP

Change in CPPM Service config (compared to EAP-TLS
with termination on controller)

Auth-tracebuf from controller showing steps in EAP-PEAP
authentication

Checking security logs in controller for the
authentication

Logs at Access Tracker (CPPM)

MISCELLANEOUS
TROUBLESHOOTING TIPS

Check the service that is being used in case failed
authentication
In the below output for some reason its hitting wrong Service “test123”, while
name of our service is “Company_ABCD-EAP-PEAP”

Check if right Authentication methods are configured
In the below output only “Mschap” was configured as the Authentication method,
while actually “EAP-PEAP” was required.

Ensure right certificates are used at CPPM,
Controller & Client
Always ensure
• The certificate path is correct and
right certificates are positioned in
right devices.
• The root CA is trusted in the client
device
• Validate the server certificate in client
for mutual authentication & mention
the exact CN of the Authentication
server.

THANK YOU!!!

Aos & cppm integration & testing document for eap tls & eap peap

More Related Content

What's hot

Viewers also liked

Similar to Aos & cppm integration & testing document for eap tls & eap peap

Recently uploaded

Aos & cppm integration & testing document for eap tls & eap peap