Server Certificates and APs functioning as RADIUS servers

  • 1
  • Question
  • Updated 5 years ago
  • Answered

I am attempting to generate Server and HM CA certs, however as I have multiple APs functioning as Primary and Backup RADIUS servers (connected to LDAP server) I'm not sure of the workflow around assigning the Server CSR to each AP.

I am following the instructions from the Advanced PPT slides, and then noticed in the online help the Server CSR Common Name must be the AP IP address functioning as the RADIUS server. This got me past a warning msg!

My setup has 5 APs (soon to be 7), of which 1 is Primary, and 2 as backup RADIUS –this is all defined in the single Device AAA Server Setting called Windley-LDAP-Server (see below), and “Windley-LDAP”

I’m not sure if having a single AAA Server Setting then causes problems when uploading the config, as the Server CSR is linked to a specific AP IP address, ie the Recp_ one above. Then when I upload the config to the Recp_ AP it’ all good, but the other RADIUS functioning APs complain because their assigned “Windley-LDAP-Server” AAA setting now doesn't match.
I thought I would get around this by then modifying the Server CSR for the other 2 APs, Library and R12, ie use their static IP as the Common name of the Server CSR. Then just upload the Server Cert and Key File to the appropriate RADIUS AP. But all I seem to be doing is overriding the “Windley-LDAP-Server” setting with the last change, causing the RADIUS APs to think their config now differs.

I think my questions are:
Do I need to have a different “AAA Server Setting” name for every AP that functions as a RADIUS server – and then assign this to each AP under Monitor-Modify each AP, or have I missed the point here?? As this only started causing problems when I attempted to create a new set of Certificates – perhaps leaving the Default ones was what I should have done?
Is there a way to remove all the certificates so that I can revert back to the Default ones?

I’m a bit confused as the "AAA Client setting" assigns all three APs as RADIUS servers in one go eg: Primary, Backup1 and 2. Or should I also create 3 unique AAA Client Setting, rotating the Primary for each AP?
Perhaps I only need to generate the Server CSR for the Primary RADIUS AP and leave the other as they are?

Below shows the list of APs, with 3 functioning as RADIUS servers

Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes

Posted 5 years ago

  • 1
Photo of Scott M.

Scott M., Sr. Support Engineer

  • 104 Posts
  • 8 Reply Likes
Hello Jason,

We will certainly help you with this matter. However, as this is a complicated matter, I recommend this situation be handled via a support case.

If you are in the United States, you can open a support case by calling 866-365-9918.

If you are outside the United States, please call your service provider.


Scott Myron