Aruba Instant & Cloud Wi-Fi

Reply
Contributor I
Posts: 32
Registered: ‎08-21-2012

ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

With the recently emailed advisory regarding securelogin.arubanetworks.com, if the IAP Guest WLAN is only configured for INTERNAL – ACKNOWLEDGED, do I need to be concerned about this/will the revoked certificate cause an issue for guests using this configuration?

 

Thank you.

Guru Elite
Posts: 20,591
Registered: ‎03-29-2007

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

Yes.  If the guest browser is configured to detect a revoked certificate, it might not let the user connect.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 32
Registered: ‎08-21-2012

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

Thanks for the prompt reply Colin.  If this is indeed the case, what’s the best way to resolve this as I see no reason to have an SSL certificate if I’m not securing anything.

New Contributor
Posts: 4
Registered: ‎07-24-2013

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

If you haved a captive portal, then you are securing the connection between the client web browser are the portal.  This needs to be encrypted,  you can use a self-signed certificate but this may still cause tehe browser to throw up an error as it would be untrusted by the browser.

Contributor I
Posts: 32
Registered: ‎08-21-2012

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

I see—shame considering SSL is really not required here.  Does my certificate need to be for securelogin.example.com or will any host work?  If the former, is there a way to change this?  There is little documentation here, at least as it specifically relates to IAP, and this covers http://community.arubanetworks.com/t5/Wireless-Access/Certificate-quot-securelogin-arubanetworks-com-quot/td-p/239148 as well.  Also, do I need to reboot everything or will this Just Work once the new certificate is uploaded?  Thank you.

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

We just posted a few FAQs:
https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 32
Registered: ‎08-21-2012

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

Thanks for the prompt reply Tim.  While this covers why a certificate is needed, it doesn’t mention Subject Names or if a reboot is required for the change to be effective.  I imagine Aruba has a major head ache on their hands for anyone that uses the built-in captive portal for Guest WLANs.

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

The common name can be anything. I'd recommend it be somewhat user friendly. Something like "network-login.domain.xyz". A public certificate is highly recommended for captive portal.

A reboot is not required.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor I
Posts: 6
Registered: ‎08-10-2014

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

Hi cappalli!

I assume that an A recond in DNS should be created for "network-login.domain.xyz", am I right? To which ip address it should be pointing?

Is it possible to use wildcard cert?

Guru Elite
Posts: 8,204
Registered: ‎09-08-2010

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

No. No DNS record is required. Wildcard certs can be used on Instant 4.3 and greater.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: