Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Integrating EAP-TLS Authentication with Aruba Access Points

Introduction

On this webpage, we will demonstrate the process of integrating SecureW2’s PKI, RADIUS, and Device Onboarding/Certificate Enrollment software with Aruba Access Points, resulting in the implementation of EAP-TLS authentication using certificates.

With SecureW2, you can effortlessly configure EAP-TLS for any 802.1x Wi-Fi infrastructure. The transition from credential-based to certificate-based authentication has been made incredibly simple, with numerous customers completing the configuration in less than a couple of hours.

If you are interested in setting up MAC-based RADIUS Authentication, you can find the relevant instructions and resources at the following link: How to integrate MAC based RADIUS Authentication with Aruba IAP

Configuring the SecureW2 PKI and RADIUS Server

To configure a Network Profile for wireless, perform the following steps.

  1. Log in to the JoinNow Management Portal.
  2. Navigate to Device Onboarding > Getting Started.
  3. On the Quickstart Network Profile generator page, from the Profile Type drop-down list, select Wireless.
  4. In the SSID field, type the name of a profile.
  5. From the Security Type drop-down list, select WPA2-Enterprise.
  6. From the EAP Method drop-down list, select EAP-TLS.
  7. From the Policy drop-down field, retain DEFAULT.
  8. From the Wireless Vendor drop-down list, select Aruba Networks.
  9. From the RADIUS Vendor drop-down list, select a RADIUS vendor.
  10. Click Create.

After the Wizard has finished running, everything required for EAP-TLS will be generated. Root and Intermediate CA’s, CRL, RADIUS Server, and a landing page that users can go to and have an appropriate client downloaded to their device where they can self-service their devices to be enrolled and configured for a certificate.

Aruba IAP Configuration for a Secure Wi-Fi Network

Prerequisite

Follow the below steps to retrieve our RADIUS Server’s information:

  1. Log in to the JoinNow Management Portal.
  2. Navigate to RADIUS > RADIUS Configuration.
  3. Copy the Primary IP Address of your subscribed region to your console.

If you are not using the SecureW2 RADIUS and you’d like more information about how to integrate with SecureW2 PKI with your existing RADIUS Server, head over to our RADIUS Solutions page. You will find guides on how to integrate our PKI with nearly every RADIUS Server vendor.

Setting Up the Secure SSID

  1. Log in to the Aruba portal.
  2. On the left pane, navigate to Configuration > WLAN.
  3. Click the + icon to add a new WLAN.
  4. On the General tab:
    1. In the Name (ssid) field, enter a name for the SSID.
    2. For Primary usage, select the Employee option.
    3. From the Select AP Groups drop-down list, select an option. According to the option, the Broadcast on list is displayed. Select the default option.
    4. From the Forwarding Mode drop-down list, select an option for client traffic.
  5. Click Next.
  6. On the VLANs tab, select your VLAN ID.
  7. Click Next.
  8. On the Security tab:
    1. Ensure that the dial is at Enterprise (default value).
    2. From the Key management drop-down list, select WPA-2 Enterprise.
    3. In the Auth servers section, click +.
    4. Select the RADIUS server you wish to connect to and click OK.
    5. Repeat steps a-c to add additional servers.
  9. Click Next.
  10. On the Access tab:
    1. From the Default role drop-down list, select an option.
  11. Click Finish. The new SSID appears in the WLANs section.

To test the configuration, complete the onboarding process and enroll for the Secure network access. In the JoinNow Management Portal, navigate to Data and Monitoring > RADIUS Events. The RADIUS event logs are displayed. For a successful configuration, RADIUS Reply is ACCESS_ACCEPT.

The RADIUS server is now configured to authenticate users to connect to the secure SSID.

Configuring the RADIUS Server with Aruba IAP

  1. Log in to the Aruba portal.
  2. Navigate to Configuration > Authentication.
  3. Click the Auth Servers tab.
  4. Click +.
  5. On the displayed page, in the Name field, enter a name.
  6. Click Submit.
  7. From the Server Group section, click the group you just created.
  8. Below the Server Group section, click the + sign to add server details.
  9. Select the Add new server option.
  10. In the Name field, enter a name for the server.
  11. In the IP address / hostname field, enter the RADIUS IP address that you obtain from the JoinNow Management Portal.
  12. From the Type from drop-down list, select RADIUS.
  13. Click Submit.

Configuring the Onboarding SSID

  1. Log in to the Aruba portal.
  2. On the left pane, navigate to Configuration > WLANs.
  3. Click the + icon to add a new WLAN.
  4. On the General tab:
    1. In the Name (ssid) field, enter a name for the SSID.
    2. For Primary usage, select the Guest option.
    3. From the Select AP Groups drop-down list, select an option. According to the option, the Broadcast on list is displayed. Select the default option.
    4. From the Forwarding Mode drop-down list, select an option for client traffic.
  5. Click Next.
  6. On the VLANs tab, select your VLAN ID.
  7. Click Next.
  8. On the Security tab:
    1. Select ClearPass or other external captive portal.
    2. In the Captive Portal Options section, in the Auth servers field, click +.
    3. In the Add Existing Server pop-up window, click + and add the following details:
      • Select the RADIUS radio button.
      • In the Name field, enter the name of the RADIUS server.
      • In the IP address field, enter the RADIUS IP address that you obtain from the JoinNow Management Portal.
      • In the Auth Port field, enter the RADIUS port value that you obtain from the JoinNow Management Portal.
      • In the Accounting port field, enter the RADIUS port value that you obtain from the JoinNow Management Portal.
      • In the Shared Key field, enter the shared secret value that you obtain from the JoinNow Management Portal.
      • In the Timeout field, enter the RADIUS timeout value.
      • Click Submit.
    4. In the CPPM host field, enter https://captiveportal.securew2.com
    5. In the CPPM page field, enter v1/public/{orgid}/{profilename}

      Note: For example, if the network profile to onboard users is https://cloud.securew2.com/ public/123456/eduroam, the CPPM Page will be v1/public/123456/eduroam.

    6. Click Next.
  9. In the Access section, select the default guest role.
  10. Click Finish.

SecureW2 offers a cost-effective solution to streamline device onboarding and strengthen network security. Head over to our pricing page to learn more.