On Oct 20, 2011, at 7:51 AM, Osborne, Bruce W wrote: > If you are terminating EAP on the Aruba controller, I believe you are > correct. If you terminate EAP on the RADIUS server, you can use 2048 bit > certs with the Aruba controller. That's what we are currently doing with > 3.4.x.
Yes, you are correct. We didn't want to give up controller EAP termination (may as well use the crypto hardware...), and since we still had to establish manual trust, rolling our own cert wasn't a big deal. > For a Microsoft NPS server with a Microsoft CA, you need to use the RAS and > IAS Server Template on the CA for the PEAP certificate. We configured the "magic oids" for windows by adding the following to our openssl config: --------------------- snip ------------------------- [ new_oids ] # jhealy: Windows OIDs for Wireless auth clientAuth = 1.3.6.1.5.5.7.3.2 serverAuth = 1.3.6.1.5.5.7.3.1 [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth --------------------- snip ------------------------- We then generated a self-signed cert from there. I have bash scripts that roll this all up if anyone is interested. I'm assuming that in a "real" windows environment you would sign the cert with an authority that is trusted by the computers in your domain (so you don't have to manually set trust on the client). We didn't bother since we don't really have Windows machines. Probably we only needed "serverAuth", since we're not doing mutual authentication. However, I was in a hurry to get this going for start of school, and this works... ;-) Jason -- Jason Healy | [email protected] | http://www.logn.net/ ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
