ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 10
Registered: ‎01-19-2010

Certificate Common Name for AAA Profile

Hello,

I'm trying to understand how to replace the "securelogin.arubanetworks.com" cert that is presented when a user connects to a network with 802.1x enabled. As it stands most users are prompted to accept the certificate before getting a lease/connected and I believe before credentials are passed. We've overcome this in the past by telling users to either uncheck "validate server certificate" on the windows side, or simply telling them that they have to accept the cert.

We would like to make the process seamless. I contacted Aruba Support regarding the issue because my main question is "What should the common name be?" when an the server is presenting the authentication via an SSID? They told me that it doesn't matter. I don't really believe that, as we did try it and it still did not work (the new cert was presented with the opportunity to accept).

The area we are applying the new cert is in the 802.1x authentication profile which is used further up the chain on the Virtual AP/SSID.

Should common name be the actual server name or something to do with the SSID in this case?

Thanks in advance!
MVP
Posts: 485
Registered: ‎04-03-2007

Re: Certificate Common Name for AAA Profile

For web servers, it's important that the common name match the hostname/dns name for the server. However, with 802.1X, it does not matter. If the certificate is only going to be used for 802.1X, use whatever you want.

As for your clients (windows?), they will continued to be prompted to accept the certificate unless you do the following:

  • Validate Server Certificate
  • Enter the server name to trust
  • Select the root certificate authority to trust/expect with the cert

It sounds like you're missing one of the above on the client device.
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Occasional Contributor II
Posts: 10
Registered: ‎01-19-2010

Re: Certificate Common Name for AAA Profile

Thanks Ryan.

I understand now that common name doesn't matter in this case, just threw me off for a while is all.

The problem doesn't seem to be client devices, we are using DigiCert as our issuer so the certs are from a source that many devices will trust, or they will trust Entrust. Our issue seems to be at this point getting the certs into the right format or the right intermediate cert for the validation to take place automatically. I think the server cert is correct, but for whatever reason it still doesn't like it, even when showing DigiCert as the Root CA in this case.

If anyone has used DigiCert for this in past and wants to chime in with which of the files they used in what role on the controller i would certainly appreciate it.

Thank you.
Search Airheads
Showing results for 
Search instead for 
Did you mean: