• February 19, 2018, 03:14:44 AM
Welcome, Guest. Please login or register. Registration is free.
Did you miss your activation email?

Author Topic: Subordinate CA trustpoint?  (Read 1007 times)

0 Members and 1 Guest are viewing this topic.

Offline ajohnson

  • Jr. Member
  • **
  • Posts: 43
Subordinate CA trustpoint?
« on: June 20, 2016, 03:47:18 PM »
I've been trying to set up an additional SSID with AD authentication enabled on it, and I've run into a little snag.  In the section where I have to import my CA so I can sign the CSR, we have both a Root-CA which is left turned off, and a Subordinate-Enterprise CA that we use to actually issue certificates.   

I tried copying the Root Cert off my machine and imported it into our RFS7000, which went fine, but when I process the CSR using the subordinate CA and try to import the resulting certificate, I get "Error - server certificate does not match corresponding private key".

At this point, I'd assume I need to add the Sub-CA as an additional trustpoint, however the RFS gives a "Error - Invalid CA certificate signature" when I try to import its certificate as a CA.

Am I missing something?
Thanks,
Aaron


Offline ajohnson

  • Jr. Member
  • **
  • Posts: 43
Re: Subordinate CA trustpoint?
« Reply #1 on: June 22, 2016, 08:32:18 PM »
Minor update, I was able to use openssl.exe to take the certificate chain .p7b file from the subordinate ca (which contains the root-ca) , convert it to ".pem" or base-64 format, which is what the RFS wants.  That let me import the entire thing as a trustpoint successfully, and it seemed to work, letting me import the signed certificate for the RFS7000.

I say it "seemed" to work because I still can't seem to get either radius or LDAP working.  if I configure the ssid to point at my NPS/Radius server, I get traffic from the RFS, but the client says "invalid username/password".  The NPS has a "Negoatiation Failed.  No available EAP methods" in its event log.  Wireshark shows definite traffic from the RFS every time I try, so that's good.

If I change for full LDAP, following the "How to Active Directory Authentication", the client still says invalid username/password, but I never see any traffic hitting my LDAP/domain controller using Wireshark. 

Offline ajohnson

  • Jr. Member
  • **
  • Posts: 43
Re: Subordinate CA trustpoint?
« Reply #2 on: June 23, 2016, 08:30:43 PM »
Finally got this working.  I ran across this video: https://www.youtube.com/watch?v=ubutBej82JE on implementing PEAP-MScHAPv2 with a Vx9000 virtual controller and external LDAP.  Very similar to what I'm doing.  In watching the video I realized that I had not applied the radius server policy to the RFS under services.  I had done so for the access points in their Profile but didn't think about the RFS for some reason.  After that I started seeing packets on my ldap server, but it still didn't work

There was another step he did that is not in the "How To" guide, which was add an LDAP agent entry within that radius server policy (services->radius->server policy).  This causes the RFS to appear in AD, so the agent user apparently has to have sufficient rights to do so, but other than that, it seems ok.   This still didn't seem to fix everything until I set the authentication type on the agent to TTLS-MS-CHAPv2, but now it's working.