The procedure assumes that you have setup ClearPass already for EAP-TLS, and it will use ClearPass Onboard to generate a client certificate.
What makes the certificate used by Aruba User Experience Insight different is that the RADIUS cert and its root CA has to be included in the pkcs#12 file that is imported into dashboard. If you just add a certificate, without the server cert and CA, authentication will fail with the Alert message: client: unknown_ca
Generate the Certificate
- First make sure that the username you want to use is available in the authentication backend (like AD, local user database), so authorization works.
- From the ClearPass Guest/Onboard interface, go in: Onboard » Management and Control » View by Certificate.
- Select: Generate a new certificate signing request.
- Certificate type: TLS Client Certificate, fill in the mandatory fields, fill in the username you created (or want to use) in the Common name field and in the User name field under subject alternative name.
- Select the option to immediately issue the certificate and fill the lifetime in days for the certificate.
- Now look up the certificate in the list (still View by certificate), click the line to reveal the export option and export the certificate.
- Select the P12 format, include the trust chain and pick a nice passphrase.
Export the RADIUS certificate
- Go in Policymanager to Administration » Certificates » Certificate Store.
- Find the RADIUS/EAP Server certificate and export it. Again pick a passphrase to protect the key (which we don't need in the end and will ignore later).
In the next steps we will get the key and certificate from the client certificate, get the RADIUS cert and chain, and put all together in a single .p12 file.
You will need openssl for this, and if on Mac or Linux can use the following commands:
In the first command, you need to enter the passphrase that you set during the export in Onboard. In the second command, you first type the same passphrase for the Onboard export then you type a password to protect the private key (which you will use again in step 4) In the third command, you type the passphrase used during the RADIUS cert export. In the fourth command, you first enter the password for the private key as set in step 2, then the export password for your .p12.
Import the Cape-New.p12 into your sensor
- In the Dashboard go into settings, WiFi, then add or modify a SSID.
- Select Enterprise Security and Certificate authentication.
- In identity fill in the (authentication backend) username that you will use for the sensor (see the first step under generate certificate)
- Select the cape-new.p12 and enter the passphrase.
That should do it. Add the network to one of your sensor and authentication should succeed.
Open SSL Commands in a script
On Mac or Linux, the following script may help: