confidential © copyright 2014. aruba networks, inc. all rights reserved aos & cppm integration...
TRANSCRIPT
![Page 1: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/1.jpg)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
AOS & CPPM INTEGRATIONCONFIGURATION & TESTING
EAP TLS & EAP PEAP
by Abilash Soundararajan
![Page 2: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/2.jpg)
EAP-TLS
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 3: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/3.jpg)
Certificate Requirements for EAP-TLS architecture (EAP tunnel termination on CPPM)
User Certificate
Root CA Cert
Radius CA Cert
Signing CA Cert
Root CA in Trusted Root CA list
![Page 4: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/4.jpg)
Certificate Requirements for EAP-TLS architecture (EAP tunnel termination on Controller)
User Certificate
Server Cert
Trusted CA Cert
Root CA Cert
Signing CA Cert
Root CA in Trusted Root CA list
![Page 5: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/5.jpg)
SETTING UP EAP-TLS TERMINATION ON CPPM
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 6: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/6.jpg)
Steps for EAP-TLS (Termination on CPPM)
• Creating CA & Signing CA on CPPM
• Configuring Controller– SSID profile– Dot1x profile– Server & Server Group– AAA profile– VAP Profile– Mapping to AP-group
• Configuring Device & Services in CPPM
• Creating CSR, Radius cert and uploading it
• Creating User in CPPM
• Creating Client Certificates
• Checking Access Tracker
• Troubleshooting from Controller
![Page 7: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/7.jpg)
Creating CA & Signing CA on CPPM
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 8: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/8.jpg)
Creating CA & Signing CA on CPPM
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 9: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/9.jpg)
Checking CA cert info
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 10: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/10.jpg)
Configuring Controller – SSID profile
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 11: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/11.jpg)
Configuring Controller – Dot1x profile
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 12: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/12.jpg)
Configure server info and map to server group
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 13: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/13.jpg)
Mapping Dot1x, AAA & SSID profiles
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Mapping Do1x to AAA profile Mapping AAA & SSID to VAP Profile
Add this VAP to the AP-group that needs this SSID.
![Page 14: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/14.jpg)
Add Controller to the devices in CPPM
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 15: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/15.jpg)
Creating an Enforcement Policy
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 16: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/16.jpg)
Creating Enforcement Policy Rules
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
• There are different ways of doing this step.• In this case we are going to check, if the Certificate submitted by client for
authentication has in its common name “Company_ABCD”, which is also in our list of Signing CAs.
![Page 17: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/17.jpg)
Creating Service in CPPM to cater to EAP-TLS requests
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Adding ESSID name to the list of conditions to be checked to match this Service.
![Page 18: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/18.jpg)
Adding necessary Authentication Methods & Sources necessary
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 19: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/19.jpg)
Mapping the Enforcement Profile configured
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 20: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/20.jpg)
Creating CSR for RADIUS server
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Note: Need to download 2 files. “CertSignRequest.csr” & “CertPrivKey.pkey”
![Page 21: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/21.jpg)
Creating Radius server cert with corresponding CA
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 22: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/22.jpg)
Uploading the Radius server cert to Server Certs
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 23: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/23.jpg)
New Radius certificate seen in the Server Certs
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 24: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/24.jpg)
Creating User certificates
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 25: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/25.jpg)
Checking Certificates created and Exporting Client certificate
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Exporting Client Certificate with private key, secured with a Passphrase
![Page 26: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/26.jpg)
Installing the Client certificate on the end device
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 27: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/27.jpg)
Creating the user in the Local user database (as CN of the user will be checked in Local DB)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 28: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/28.jpg)
Troubleshooting Radius Service from Controller
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
• Current service will not help in doing aaa test-server – As its only meant for EAP-TLS & EAP-PEAP
• Below addition in services can help in doing an MSChapv2 as well– Disable it post testing for stricter security compliance
![Page 29: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/29.jpg)
Checking logs on CPPM for successful test authentication
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 30: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/30.jpg)
Checking logs on Controller for Successful/ failed test authentication
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
(Master) #show log security 30 | include User,server,failAug 4 10:55:53 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 10:55:53 :124019: <INFO> |authmgr| Test server response: Authentication SuccessfulAug 4 11:02:52 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:02:57 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=1Aug 4 11:02:57 :124019: <INFO> |authmgr| Test server response: Authentication failedAug 4 11:05:15 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:05:20 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=1Aug 4 11:05:20 :124019: <INFO> |authmgr| Test server response: Authentication failedAug 4 11:06:20 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:06:20 :121041: <DBUG> |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found.Aug 4 11:06:20 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 11:06:20 :124019: <INFO> |authmgr| Test server response: Authentication SuccessfulAug 4 11:07:09 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:07:14 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=1Aug 4 11:07:14 :124019: <INFO> |authmgr| Test server response: Authentication failedAug 4 11:14:50 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:14:50 :121041: <DBUG> |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found.Aug 4 11:14:50 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 11:14:50 :124019: <INFO> |authmgr| Test server response: Authentication SuccessfulAug 4 11:15:56 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:15:56 :121041: <DBUG> |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found.Aug 4 11:15:56 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 11:15:56 :124019: <INFO> |authmgr| Test server response: Authentication SuccessfulAug 4 11:16:36 :124011: <INFO> |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPMAug 4 11:16:36 :121041: <DBUG> |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found.Aug 4 11:16:36 :124004: <DBUG> |authmgr| Auth server 'Company-ABC-CPPM' response=0Aug 4 11:16:36 :124019: <INFO> |authmgr| Test server response: Authentication Successful
![Page 31: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/31.jpg)
Download & Install Root CA Certificate to the list of Trusted CAs in the EAP-TLS client
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 32: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/32.jpg)
Server Validation settings in Client
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 33: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/33.jpg)
Choosing Client cert for authenticating while connecting & Successful Authentication
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 34: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/34.jpg)
Checking Security logs for the EAP-TLS event
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 35: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/35.jpg)
Checking logs in Access Tracker (CPPM)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 36: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/36.jpg)
Client Attributes sent and Authentication Sources used
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 37: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/37.jpg)
EAP-TLS WITH TERMINATION ON CONTROLLER
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 38: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/38.jpg)
Create Server certificate for Controller – Generate CSR for controller
![Page 39: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/39.jpg)
Generate certificate for WLAN controller using CSR
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 40: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/40.jpg)
Upload the certificate to the controller as Server certificate and also the CA certs
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 41: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/41.jpg)
Map the certificates to Dot1x profile and enable Termination
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 42: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/42.jpg)
Configuring CPPM Service
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 43: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/43.jpg)
Configuring Authentication Method for Service
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 44: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/44.jpg)
Enforcement policy for Service
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 45: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/45.jpg)
Ensure that you have User in the DB with the same Name as CN in the User cert
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 46: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/46.jpg)
Controller Side verification – auth-tracebuf
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 47: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/47.jpg)
Controller side log verification – Security logs
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 48: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/48.jpg)
Checking logs in the Access Tracker (CPPM)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 49: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/49.jpg)
Checking logs in the Access Tracker (CPPM)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 50: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/50.jpg)
EAP-PEAP
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 51: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/51.jpg)
Certificate Requirements for EAP-PEAP architecture (EAP tunnel termination on CPPM)
Root CA Cert
Radius CA Cert
Signing CA CertRoot CA in Trusted Root CA list
Username: Employee1Password:xxxxxx
![Page 52: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/52.jpg)
Certificate Requirements for EAP-PEAP architecture (EAP tunnel termination on Controller)
Server Cert
Trusted CA Cert
Root CA Cert
Signing CA CertRoot CA in Trusted Root CA list
Username: Employee1Password:xxxxxx
![Page 53: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/53.jpg)
EAP-PEAP WITH TERMINATION ON CPPM
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 54: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/54.jpg)
No change in controller config when compared to EAP-TLS setup (Termination on CPPM)
Option disabled as termination is disabled
![Page 55: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/55.jpg)
Only change in CPPM Service config when compared to EAP-TLS (Termination on CPPM)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 56: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/56.jpg)
Client config for EAP-PEAP (Auth Method, Server Certificate & Trusted Root CA)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 57: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/57.jpg)
Checking the steps of EAP-PEAP with termination on CPPM
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 58: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/58.jpg)
Checking controller logs for EAP-PEAP authentication
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 59: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/59.jpg)
Checking authentication logs at Access Tracker (CPPM)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 60: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/60.jpg)
Access Tracker showing Outer and Inner EAP tunnel methods
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 61: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/61.jpg)
EAP-PEAP WITH TERMINATION ON CONTROLLER
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 62: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/62.jpg)
Only change from EAP-TLS (with termination on controller) in config for EAP-PEAP
![Page 63: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/63.jpg)
Change in CPPM Service config (compared to EAP-TLS with termination on controller)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 64: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/64.jpg)
Auth-tracebuf from controller showing steps in EAP-PEAP authentication
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 65: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/65.jpg)
Checking security logs in controller for the authentication
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 66: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/66.jpg)
Logs at Access Tracker (CPPM)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 67: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/67.jpg)
Logs at Access Tracker (CPPM)
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 68: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/68.jpg)
MISCELLANEOUS TROUBLESHOOTING TIPS
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
![Page 69: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/69.jpg)
Check the service that is being used in case failed authentication
In the below output for some reason its hitting wrong Service “test123”, while name of our service is “Company_ABCD-EAP-PEAP”
![Page 70: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/70.jpg)
Check if right Authentication methods are configured
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
In the below output only “Mschap” was configured as the Authentication method, while actually “EAP-PEAP” was required.
![Page 71: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/71.jpg)
Ensure right certificates are used at CPPM, Controller & Client
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved
Always ensure • The certificate path is correct and
right certificates are positioned in right devices.
• The root CA is trusted in the client device
• Validate the server certificate in client for mutual authentication & mention the exact CN of the Authentication server.
![Page 72: CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan](https://reader038.vdocuments.us/reader038/viewer/2022103121/56649c7b5503460f9492edb2/html5/thumbnails/72.jpg)
THANK YOU!!!
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved