CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

AOS & CPPM INTEGRATIONCONFIGURATION & TESTING

EAP TLS & EAP PEAP

by Abilash Soundararajan

EAP-TLS


Certificate Requirements for EAP-TLS architecture (EAP tunnel termination on CPPM)

User Certificate

Root CA Cert

Radius CA Cert

Signing CA Cert

Root CA in Trusted Root CA list

Certificate Requirements for EAP-TLS architecture (EAP tunnel termination on Controller)

User Certificate

Server Cert

Trusted CA Cert

Root CA Cert

Signing CA Cert

Root CA in Trusted Root CA list

SETTING UP EAP-TLS TERMINATION ON CPPM


Steps for EAP-TLS (Termination on CPPM)

• Creating CA & Signing CA on CPPM

• Configuring Controller– SSID profile– Dot1x profile– Server & Server Group– AAA profile– VAP Profile– Mapping to AP-group

• Configuring Device & Services in CPPM

• Creating CSR, Radius cert and uploading it

• Creating User in CPPM

• Creating Client Certificates

• Checking Access Tracker

• Troubleshooting from Controller

Creating CA & Signing CA on CPPM


Creating CA & Signing CA on CPPM


Checking CA cert info


Configuring Controller – SSID profile


Configuring Controller – Dot1x profile


Configure server info and map to server group


Mapping Dot1x, AAA & SSID profiles


Mapping Do1x to AAA profile Mapping AAA & SSID to VAP Profile

Add this VAP to the AP-group that needs this SSID.

Add Controller to the devices in CPPM


Creating an Enforcement Policy


Creating Enforcement Policy Rules


• There are different ways of doing this step.• In this case we are going to check, if the Certificate submitted by client for

authentication has in its common name “Company_ABCD”, which is also in our list of Signing CAs.

Creating Service in CPPM to cater to EAP-TLS requests


Adding ESSID name to the list of conditions to be checked to match this Service.

Adding necessary Authentication Methods & Sources necessary


Mapping the Enforcement Profile configured


Creating CSR for RADIUS server


Note: Need to download 2 files. “CertSignRequest.csr” & “CertPrivKey.pkey”

Creating Radius server cert with corresponding CA


Uploading the Radius server cert to Server Certs


New Radius certificate seen in the Server Certs


Creating User certificates


Checking Certificates created and Exporting Client certificate


Exporting Client Certificate with private key, secured with a Passphrase

Installing the Client certificate on the end device


Creating the user in the Local user database (as CN of the user will be checked in Local DB)


Troubleshooting Radius Service from Controller


• Current service will not help in doing aaa test-server – As its only meant for EAP-TLS & EAP-PEAP

• Below addition in services can help in doing an MSChapv2 as well– Disable it post testing for stricter security compliance

Checking logs on CPPM for successful test authentication


Checking logs on Controller for Successful/ failed test authentication


(Master) #show log security 30 | include User,server,failAug 4 10:55:53 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 10:55:53 :124019: <INFO> |authmgr| Test server response: Authentication SuccessfulAug 4 11:02:52 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:02:57 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=1Aug 4 11:02:57 :124019: <INFO> |authmgr| Test server response: Authentication failedAug 4 11:05:15 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:05:20 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=1Aug 4 11:05:20 :124019: <INFO> |authmgr| Test server response: Authentication failedAug 4 11:06:20 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:06:20 :121041: <DBUG> |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found.Aug 4 11:06:20 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 11:06:20 :124019: <INFO> |authmgr| Test server response: Authentication SuccessfulAug 4 11:07:09 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:07:14 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=1Aug 4 11:07:14 :124019: <INFO> |authmgr| Test server response: Authentication failedAug 4 11:14:50 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:14:50 :121041: <DBUG> |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found.Aug 4 11:14:50 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 11:14:50 :124019: <INFO> |authmgr| Test server response: Authentication SuccessfulAug 4 11:15:56 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:15:56 :121041: <DBUG> |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found.Aug 4 11:15:56 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 11:15:56 :124019: <INFO> |authmgr| Test server response: Authentication SuccessfulAug 4 11:16:36 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:16:36 :121041: <DBUG> |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found.Aug 4 11:16:36 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 11:16:36 :124019: <INFO> |authmgr| Test server response: Authentication Successful

Download & Install Root CA Certificate to the list of Trusted CAs in the EAP-TLS client


Server Validation settings in Client


Choosing Client cert for authenticating while connecting & Successful Authentication


Checking Security logs for the EAP-TLS event


Checking logs in Access Tracker (CPPM)


Client Attributes sent and Authentication Sources used


EAP-TLS WITH TERMINATION ON CONTROLLER


Create Server certificate for Controller – Generate CSR for controller

Generate certificate for WLAN controller using CSR


Upload the certificate to the controller as Server certificate and also the CA certs


Map the certificates to Dot1x profile and enable Termination


Configuring CPPM Service


Configuring Authentication Method for Service


Enforcement policy for Service


Ensure that you have User in the DB with the same Name as CN in the User cert


Controller Side verification – auth-tracebuf


Controller side log verification – Security logs


Checking logs in the Access Tracker (CPPM)


Checking logs in the Access Tracker (CPPM)


EAP-PEAP


Certificate Requirements for EAP-PEAP architecture (EAP tunnel termination on CPPM)

Root CA Cert

Radius CA Cert

Signing CA CertRoot CA in Trusted Root CA list

Username: Employee1Password:xxxxxx

Certificate Requirements for EAP-PEAP architecture (EAP tunnel termination on Controller)

Server Cert

Trusted CA Cert

Root CA Cert

Signing CA CertRoot CA in Trusted Root CA list

Username: Employee1Password:xxxxxx

EAP-PEAP WITH TERMINATION ON CPPM


No change in controller config when compared to EAP-TLS setup (Termination on CPPM)

Option disabled as termination is disabled

Only change in CPPM Service config when compared to EAP-TLS (Termination on CPPM)


Client config for EAP-PEAP (Auth Method, Server Certificate & Trusted Root CA)


Checking the steps of EAP-PEAP with termination on CPPM


Checking controller logs for EAP-PEAP authentication


Checking authentication logs at Access Tracker (CPPM)


Access Tracker showing Outer and Inner EAP tunnel methods


EAP-PEAP WITH TERMINATION ON CONTROLLER


Only change from EAP-TLS (with termination on controller) in config for EAP-PEAP

Change in CPPM Service config (compared to EAP-TLS with termination on controller)


Auth-tracebuf from controller showing steps in EAP-PEAP authentication


Checking security logs in controller for the authentication


Logs at Access Tracker (CPPM)


Logs at Access Tracker (CPPM)


MISCELLANEOUS TROUBLESHOOTING TIPS


Check the service that is being used in case failed authentication

In the below output for some reason its hitting wrong Service “test123”, while name of our service is “Company_ABCD-EAP-PEAP”

Check if right Authentication methods are configured


In the below output only “Mschap” was configured as the Authentication method, while actually “EAP-PEAP” was required.

Ensure right certificates are used at CPPM, Controller & Client


Always ensure • The certificate path is correct and

right certificates are positioned in right devices.

• The root CA is trusted in the client device

• Validate the server certificate in client for mutual authentication & mention the exact CN of the Authentication server.

THANK YOU!!!


Documents

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan