How to configure RAP to use Certificate on the USB for establishing IPSec with controller

Aruba Employee

This article explains how to configure RAP to use Certificate on the USB for establishing IPSec with controller


This feature is introduce in 6.3 as part of custom certificate support for RAP. All the RAPs which has USP port supports this feature.


Environment : This has been tested on RAP-3WN and Aruba 7220 controller running


Network Topology : rtaImage (8).jpg

In order to configure the RAP with customer certificate to be use from USB we need below

1. Install pkcs#12/pfx certificate on the USB. Please follow below specifications

  •  The certificate should have the subject name/CN equal to the mac address of the RAP (CN = 00:0b:86:68:bd:e6 )
  • File name of the pfx/pkcs#12 certificate should be mac address of the RAP ( no colon and upper case000B8668BDE6.p12 ).
  •  We should use certificate with encrypted private key ( passphrase is must ).
  • There should not be any other file with the same name on the USB.

2. Bring the RAP normally on the controller and provision it with below parameters, under Wireless >> AP Installation >> Provisioning

  • pkcs12 passphrase ( it must contain character >= 6 )
  • Device type set to storage

rtaImage (9).jpg


3. Generate CSR from the controller and generate a certificate ( key usage : Server authentication ) signed by same CA as the RAP certificate on the USB ( recommended ). Upload the certificate on the controller as server certificate. In this document it is named as "rapcert-server".

4. Upload the CA certificate on the controller. In this document it is named as "rap-ca".

5. Map  the certificated under Advanced Services >> VPN services


Once above configuration is done the RAP will detect the certificate and come up on the controller with"J" flag " USB cert at AP"

(Aruba) #show ap database
AP Database
Name               Group       AP Type  IP Address    Status      Flags  Switch IP     Standby IP
----               -----       -------  ----------    ------      -----  ---------     ----------
00:0b:86:8e:f5:89  default     RAP-3WN  Up 11m:22s  Rc2uJ
Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
       I = Inactive; D = Dirty or no config; E = Regulatory Domain Mismatch
       X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
       R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP;
       c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2
       u = Custom-Cert RAP; S = Standby-mode AP; J = USB cert at AP
       M = Mesh node; Y = Mesh Recovery
(Aruba) #show crypto isakmp sa peer
 Initiator IP:
 Responder IP:
 Initiator: No
 Initiator cookie:b7a7878fb9b5ad9c Responder cookie:9a27175298aa1746
 SA Creation Date: Tue Oct 14 12:12:31 2014
 Life secs: 28800
 Initiator Phase1 ID: C=IN S=karanataka L=bangalore O=aruba OU=aruba CN=00:0b:86:8e:f5:89
 Responder Phase1 ID: C=in S=karnataka L=bangalore O=Aruba OU=tac CN=aruba
 Exchange Type: IKE_SA (IKEV2)
 Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:2
 Authentication Method: RSA Digital Signature 2048-bits
 CFG Inner-IP
 IPSEC SA Rekey Number: 0
 Aruba AP
(Aruba) #show crypto ipsec sa peer
 Initiator IP:
 Responder IP:
 Initiator: No
 SA Creation Date: Tue Oct 14 12:12:31 2014
 Life secs: 7200
 Exchange Type: IKE_SA (IKEV2)
 Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
 Encapsulation Mode Tunnel
 PFS: no
 IN SPI: 9904C500, OUT SPI: D9B81900
 CFG Inner-IP
 Responder IP:
(Aruba) #show ap database long
AP Database
Name               Group       AP Type  IP Address    Status     Flags  Switch IP     Standby IP  Wired MAC Address  Serial #   Port  FQLN  Outer IP     User
----               -----       -------  ----------    ------     -----  ---------     ----------  -----------------  --------   ----  ----  --------     ----
00:0b:86:8e:f5:89  default     RAP-3WN  Up 15m:8s  Rc2uJ     00:0b:86:8e:f5:89  BF0051760  N/A   N/A
Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 02:16 PM
Updated by:
Labels (1)



Do we need to upload server cert and trusted CA on controller or just trusted CA ? 




Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.