Certificate authentication

  • 1
  • Question
  • Updated 4 years ago
  • Answered
i have a customer who wish to deploy 300 units of BR100 and please advise me how can i go about configure the network polices for the BR100 to use the certificate authentication only with an Microsoft Radius Server.
Photo of Steven Sou

Steven Sou

  • 15 Posts
  • 0 Reply Likes
  • unsure

Posted 4 years ago

  • 1
Photo of Carsten Buchenau

Carsten Buchenau, Champ

  • 356 Posts
  • 117 Reply Likes
You have to change the running mode from Router to Access Point. After that, you can configure your network policy the same way as you would do for any other model.

In brief:
- Create an SSID profile using 802.1x (Enterprise)
- Configure the AAA client settings to use your Radius server
- Assign a default user profile

Anything else should be up to your Radius server:
- To have a proper certificate whose chain is trusted by all clients (especially Windoes)
- To configure the network access policy as you want it, eg. for PEAP using MSCHAPv2 or whatever you want/need
- To link to your user directory (AD, I assume?)
- To add rules to match on user groups to allow only certain machines / users to authenticate, if desired
Photo of Sjoerd de Jong

Sjoerd de Jong, Employee

  • 97 Posts
  • 20 Reply Likes
Are these units used as brancherouters (to set up an IPsec tunnel to the CVG)? or as AP's?

You are able to use 802.1x in both situations. In brancherouting mode, configure an SSID, radius server and profile, make sure your radius server accepts requests from the management network subnet of the brancherouters (for example, and set the network where the the radius server resides as an internal network in de CVG config, so the BR's will tunnel the requests to your internal network. Do make sure that in your internal network, the traffic for your brancherouters management network will be routed to the CVG, so it will be able to reach the brancherouters again.

If the BR100's are used as AP's, i am really curious about the case and why the choice for BR100's was made. I would like to advise you to take a Arohive ACWA, ACWP and/or ACNP training (depending on your goal) before you start to roll out this customer. They will cover pretty much all possible situations.