Certificate requirement for Client Management with External RADIUS server

  • 2
  • Question
  • Updated 4 years ago
  • Answered
I am using Microsoft NPS as an external RADIUS server.  I need to authenticate non-windows mobile devices (Android/IOS tablets) on the wireless.  I was told that Aerohive's "Client Management" solution is straight forward for this purpose.

One of the required steps is to import Aerohive certificates into the third party RADIUS server.

Is there a documented procedure (step-by-step) to import Aerohive Certificates into Microsoft NPS?

Regards,
Photo of mag007

mag007

  • 24 Posts
  • 1 Reply Like

Posted 4 years ago

  • 2
Photo of John Hanay

John Hanay

  • 38 Posts
  • 8 Reply Likes
We do have a documented procedure for using Microsoft NPS with Client Management.  The Help system is being updated but if you want, I can send you the instructions since I cannot post the PDF to this message.
Photo of mag007

mag007

  • 24 Posts
  • 1 Reply Like
Thanks for the pdf John.  However, I am a bit lost on one of the slide notes.  It says that if the customer has his own server certificate in NPS, the customer can skip the step of importing the CM server certificate. 

Now we do have our own private CA and have a certificate for NPS server so I assume we do not need the CM server certificate on the NPS.  However, we are trying to perform EAP-TLS which requires client side certificates as well.  Does the Aerohive CA provide the client certificates in this case?
Photo of John Hanay

John Hanay

  • 38 Posts
  • 8 Reply Likes
From the developer...
For EAP-TLS case, all client certificates will be issued and signed by Aerohive CM CA. If this customer has their own private CA and NPS server certificates, to make sure EAP-TLS can work, they need to import CM CA certificate (step 3) into NPS as trusted one. There is no need to import CM server certificate because they already have in NPS.
(Edited)
Photo of mag007

mag007

  • 24 Posts
  • 1 Reply Like
Do we still need to have PEAP enabled on the NPS policy as one of the authentication type?

I saw an online client management document and it seems that initially the clients connect to the wireless using PEAP and then after certificates are downloaded from CM CA, subsequent connections use EAP-TLS.
(Ref: http://www.aerohive.com/330000/docs/help/english/6.1r3/cm/Content/ref/802_1X.htm)

Please correct me if it is the case or if I am mixing two different things here.

Thanks.
Photo of John Hanay

John Hanay

  • 38 Posts
  • 8 Reply Likes
You are  correct.  Clients initially authenticate using PEAP and once the MDM Enrollment Profile and Wi-Fi Config Profile are installed onto the device, along with the certificate, the device will disconnect and re authenticate using EAP-TLS. So I believe NPS will need to be configured to support both PEAP and EAP-TLS.
Photo of mag007

mag007

  • 24 Posts
  • 1 Reply Like
Thanks John it would be great if you could send the documentation.
Photo of Paul Sellers

Paul Sellers

  • 1 Post
  • 0 Reply Likes
Hi John,

I can't find this information in the help files and would also appreciate a copy of the ,pdf file that outlines this procedure.

Thanks,

Paul