Presentation is loading. Please wait.

Presentation is loading. Please wait.

CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan.

Published bySeth Kellar Modified over 9 years ago

Similar presentations

Presentation on theme: "CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan."— Presentation transcript:

1 CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan

2 EAP-TLS CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

3 Certificate Requirements for EAP-TLS architecture (EAP tunnel termination on CPPM) User Certificate Root CA Cert Radius CA Cert Signing CA Cert Root CA in Trusted Root CA list

4 Certificate Requirements for EAP-TLS architecture (EAP tunnel termination on Controller) User Certificate Server Cert Trusted CA Cert Root CA Cert Signing CA Cert Root CA in Trusted Root CA list

5 SETTING UP EAP-TLS TERMINATION ON CPPM CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

6 Steps for EAP-TLS (Termination on CPPM) Creating CA & Signing CA on CPPM Configuring Controller –SSID profile –Dot1x profile –Server & Server Group –AAA profile –VAP Profile –Mapping to AP-group Configuring Device & Services in CPPM Creating CSR, Radius cert and uploading it Creating User in CPPM Creating Client Certificates Checking Access Tracker Troubleshooting from Controller

7 Creating CA & Signing CA on CPPM CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

8 Creating CA & Signing CA on CPPM CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

9 Checking CA cert info CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

10 Configuring Controller – SSID profile CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

11 Configuring Controller – Dot1x profile CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

12 Configure server info and map to server group CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

13 Mapping Dot1x, AAA & SSID profiles CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Mapping Do1x to AAA profile Mapping AAA & SSID to VAP Profile Add this VAP to the AP-group that needs this SSID.

14 Add Controller to the devices in CPPM CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

15 Creating an Enforcement Policy CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

16 Creating Enforcement Policy Rules CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved There are different ways of doing this step. In this case we are going to check, if the Certificate submitted by client for authentication has in its common name “Company_ABCD”, which is also in our list of Signing CAs.

17 Creating Service in CPPM to cater to EAP-TLS requests CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Adding ESSID name to the list of conditions to be checked to match this Service.

18 Adding necessary Authentication Methods & Sources necessary CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

19 Mapping the Enforcement Profile configured CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

20 Creating CSR for RADIUS server CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Note: Need to download 2 files. “CertSignRequest.csr” & “CertPrivKey.pkey”

21 Creating Radius server cert with corresponding CA CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

22 Uploading the Radius server cert to Server Certs CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

23 New Radius certificate seen in the Server Certs CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

24 Creating User certificates CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

25 Checking Certificates created and Exporting Client certificate CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Exporting Client Certificate with private key, secured with a Passphrase

26 Installing the Client certificate on the end device CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

27 Creating the user in the Local user database (as CN of the user will be checked in Local DB) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

28 Troubleshooting Radius Service from Controller CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Current service will not help in doing aaa test-server –As its only meant for EAP-TLS & EAP-PEAP Below addition in services can help in doing an MSChapv2 as well –Disable it post testing for stricter security compliance

29 Checking logs on CPPM for successful test authentication CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

30 Checking logs on Controller for Successful/ failed test authentication CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved (Master) #show log security 30 | include User,server,fail Aug 4 10:55:53 :124004: |authmgr| Auth server 'Company-ABC-CPPM' response=0 Aug 4 10:55:53 :124019: |authmgr| Test server response: Authentication Successful Aug 4 11:02:52 :124011: |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPM Aug 4 11:02:57 :124004: |authmgr| Auth server 'Company-ABC-CPPM' response=1 Aug 4 11:02:57 :124019: |authmgr| Test server response: Authentication failed Aug 4 11:05:15 :124011: |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPM Aug 4 11:05:20 :124004: |authmgr| Auth server 'Company-ABC-CPPM' response=1 Aug 4 11:05:20 :124019: |authmgr| Test server response: Authentication failed Aug 4 11:06:20 :124011: |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPM Aug 4 11:06:20 :121041: |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found. Aug 4 11:06:20 :124004: |authmgr| Auth server 'Company-ABC-CPPM' response=0 Aug 4 11:06:20 :124019: |authmgr| Test server response: Authentication Successful Aug 4 11:07:09 :124011: |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPM Aug 4 11:07:14 :124004: |authmgr| Auth server 'Company-ABC-CPPM' response=1 Aug 4 11:07:14 :124019: |authmgr| Test server response: Authentication failed Aug 4 11:14:50 :124011: |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPM Aug 4 11:14:50 :121041: |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found. Aug 4 11:14:50 :124004: |authmgr| Auth server 'Company-ABC-CPPM' response=0 Aug 4 11:14:50 :124019: |authmgr| Test server response: Authentication Successful Aug 4 11:15:56 :124011: |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPM Aug 4 11:15:56 :121041: |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found. Aug 4 11:15:56 :124004: |authmgr| Auth server 'Company-ABC-CPPM' response=0 Aug 4 11:15:56 :124019: |authmgr| Test server response: Authentication Successful Aug 4 11:16:36 :124011: |authmgr| Test authenticating user Employee1:****** using server Company-ABC-CPPM Aug 4 11:16:36 :121041: |authmgr| User Employee1 MAC=00:00:00:00:00:00 not found. Aug 4 11:16:36 :124004: |authmgr| Auth server 'Company-ABC-CPPM' response=0 Aug 4 11:16:36 :124019: |authmgr| Test server response: Authentication Successful

31 Download & Install Root CA Certificate to the list of Trusted CAs in the EAP-TLS client CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

32 Server Validation settings in Client CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

33 Choosing Client cert for authenticating while connecting & Successful Authentication CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

34 Checking Security logs for the EAP-TLS event CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

35 Checking logs in Access Tracker (CPPM) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

36 Client Attributes sent and Authentication Sources used CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

37 EAP-TLS WITH TERMINATION ON CONTROLLER CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

38 Create Server certificate for Controller – Generate CSR for controller

39 Generate certificate for WLAN controller using CSR CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

40 Upload the certificate to the controller as Server certificate and also the CA certs CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

41 Map the certificates to Dot1x profile and enable Termination CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

42 Configuring CPPM Service CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

43 Configuring Authentication Method for Service CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

44 Enforcement policy for Service CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

45 Ensure that you have User in the DB with the same Name as CN in the User cert CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

46 Controller Side verification – auth-tracebuf CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

47 Controller side log verification – Security logs CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

48 Checking logs in the Access Tracker (CPPM) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

49 Checking logs in the Access Tracker (CPPM) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

50 EAP-PEAP CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

51 Certificate Requirements for EAP-PEAP architecture (EAP tunnel termination on CPPM) Root CA Cert Radius CA Cert Signing CA Cert Root CA in Trusted Root CA list Username: Employee1 Password:xxxxxx

52 Certificate Requirements for EAP-PEAP architecture (EAP tunnel termination on Controller) Server Cert Trusted CA Cert Root CA Cert Signing CA Cert Root CA in Trusted Root CA list Username: Employee1 Password:xxxxxx

53 EAP-PEAP WITH TERMINATION ON CPPM CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

54 No change in controller config when compared to EAP-TLS setup (Termination on CPPM) Option disabled as termination is disabled

55 Only change in CPPM Service config when compared to EAP-TLS (Termination on CPPM) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

56 Client config for EAP-PEAP (Auth Method, Server Certificate & Trusted Root CA) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

57 Checking the steps of EAP-PEAP with termination on CPPM CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

58 Checking controller logs for EAP-PEAP authentication CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

59 Checking authentication logs at Access Tracker (CPPM) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

60 Access Tracker showing Outer and Inner EAP tunnel methods CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

61 EAP-PEAP WITH TERMINATION ON CONTROLLER CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

62 Only change from EAP-TLS (with termination on controller) in config for EAP-PEAP

63 Change in CPPM Service config (compared to EAP- TLS with termination on controller) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

64 Auth-tracebuf from controller showing steps in EAP- PEAP authentication CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

65 Checking security logs in controller for the authentication CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

66 Logs at Access Tracker (CPPM) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

67 Logs at Access Tracker (CPPM) CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

68 MISCELLANEOUS TROUBLESHOOTING TIPS CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

69 Check the service that is being used in case failed authentication In the below output for some reason its hitting wrong Service “test123”, while name of our service is “Company_ABCD-EAP-PEAP”

70 Check if right Authentication methods are configured CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved In the below output only “Mschap” was configured as the Authentication method, while actually “EAP-PEAP” was required.

71 Ensure right certificates are used at CPPM, Controller & Client CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Always ensure The certificate path is correct and right certificates are positioned in right devices. The root CA is trusted in the client device Validate the server certificate in client for mutual authentication & mention the exact CN of the Authentication server.

72 THANK YOU!!! CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved

Download ppt "CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved AOS & CPPM INTEGRATION CONFIGURATION & TESTING EAP TLS & EAP PEAP by Abilash Soundararajan."

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Adaptive Trust Security Policies for Today’s Enterprise Mobility Pete Ryan – ClearPass.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved Adaptive Trust Security Policies for Today’s Enterprise Mobility Pete Ryan – ClearPass.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.

Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.
Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.

Wireless Security without a VPN! Stirling Goetz, Microsoft Consulting Services.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP 802.3802.5802.11 802.1x EAP API.

Wireless LAN Security Framework Backend AAA Infrastructure RADIUS, TACACS+, LDAP, Kerberos TLSLEAPTTLSPEAPMD5 VPN EAP PPP x EAP API.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.

RADIUS Secured and Authenticated WiFi Robert Leahy Charles Bodman Brandon Ellis.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade -

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. WLAN Infrastructure Monitoring and Supplicants Workshop on Wireless Belgrade -
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Windows 2003 and 802.1x Secure Wireless Deployments.

Windows 2003 and 802.1x Secure Wireless Deployments.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
1 Setting up 802.1X networks by using Internet Authentication Service.

1 Setting up 802.1X networks by using Internet Authentication Service.
OPeNDAP Hyrax Back-End Server (BES) Authentication and Authorization Patrick West

OPeNDAP Hyrax Back-End Server (BES) Authentication and Authorization Patrick West

Similar presentations

Ads by Google