Product and Software: This article applies to all Aruba controllers that run ArubaOS 126.96.36.199 and later.
You can log in to the controller in two ways:
- username and password
- client certificate
Normally, username and password is good enough. However, in a large network that has hundreds of controllers, typing a username and password every time becomes tedious. Using a client certificate eliminates the keyboard typing and it increases the security because a certificate is the most secure way to digitally identify a user.
These steps are based on Microsoft Windows Server 2003 and ArubaOS 188.8.131.52. The steps should be similar when using different versions of ArubaOS.
To generate a client certificate and to configure the controller to use the client certificate to log in, follow these steps:
1) Obtain a client certificate and import into the controller.
See KB ID 772 to upload a certificate on the controller. Also see the ArubaOS user guide for more information about obtaining and importing client certificate on the controller.
2) Enable the client certificate on the controller.
a) Navigate to the Configuration > Management > General page.
b) Under WebUI Management Authentication Method, select Client Certificate. You can select Username and Password as well; in this case, the user is prompted to manually enter the username and password only if the client certificate is invalid.
c) Select the server certificate to be used for this service.
d) Click Apply.
3) Create a user to use the client certificate.
a) Navigate to the Configuration > Management > Administration page.
b) Under Management Users, click Add.
c) Select Certificate Management.
d) Select WebUI Certificate.
e) Enter the username.
f) Select the user role assigned to the user upon validation of the client certificate.
g) Enter the serial number for the client certificate.
h) Select the name of the CA that issued the client certificate.
i) Click Apply.
To get the client certificate serial number, issue the 'show crypto-local pki publiccert <certname> serial' command.