How to configure RAP to use Certificate on the USB for establishing IPSec with controller

Aruba Employee

This article explains how to configure RAP to use Certificate on the USB for establishing IPSec with controller

 

This feature is introduce in 6.3 as part of custom certificate support for RAP. All the RAPs which has USP port supports this feature.

 

Environment : This has been tested on RAP-3WN and Aruba 7220 controller running 6.3.1.12

 

Network Topology : rtaImage (8).jpg

In order to configure the RAP with customer certificate to be use from USB we need below

1. Install pkcs#12/pfx certificate on the USB. Please follow below specifications

  •  The certificate should have the subject name/CN equal to the mac address of the RAP (CN = 00:0b:86:68:bd:e6 )
  • File name of the pfx/pkcs#12 certificate should be mac address of the RAP ( no colon and upper case000B8668BDE6.p12 ).
  •  We should use certificate with encrypted private key ( passphrase is must ).
  • There should not be any other file with the same name on the USB.

2. Bring the RAP normally on the controller and provision it with below parameters, under Wireless >> AP Installation >> Provisioning

  • pkcs12 passphrase ( it must contain character >= 6 )
  • Device type set to storage

rtaImage (9).jpg

 

3. Generate CSR from the controller and generate a certificate ( key usage : Server authentication ) signed by same CA as the RAP certificate on the USB ( recommended ). Upload the certificate on the controller as server certificate. In this document it is named as "rapcert-server".

4. Upload the CA certificate on the controller. In this document it is named as "rap-ca".

5. Map  the certificated under Advanced Services >> VPN services

 

Once above configuration is done the RAP will detect the certificate and come up on the controller with"J" flag " USB cert at AP"

(Aruba) #show ap database
 
AP Database
-----------
Name               Group       AP Type  IP Address    Status      Flags  Switch IP     Standby IP
----               -----       -------  ----------    ------      -----  ---------     ----------
00:0b:86:8e:f5:89  default     RAP-3WN  10.17.33.235  Up 11m:22s  Rc2uJ  10.17.32.246  0.0.0.0
 
Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
       I = Inactive; D = Dirty or no config; E = Regulatory Domain Mismatch
       X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
       R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP;
       c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2
       u = Custom-Cert RAP; S = Standby-mode AP; J = USB cert at AP
       M = Mesh node; Y = Mesh Recovery
 
(Aruba) #show crypto isakmp sa peer 10.20.25.43
 
 Initiator IP: 10.20.25.43
 Responder IP: 10.17.32.246
 Initiator: No
 Initiator cookie:b7a7878fb9b5ad9c Responder cookie:9a27175298aa1746
 SA Creation Date: Tue Oct 14 12:12:31 2014
 Life secs: 28800
 Initiator Phase1 ID: C=IN S=karanataka L=bangalore O=aruba OU=aruba CN=00:0b:86:8e:f5:89 E=abc@abc.com
 Responder Phase1 ID: C=in S=karnataka L=bangalore O=Aruba OU=tac CN=aruba E=anc@nbc.com
 Exchange Type: IKE_SA (IKEV2)
 Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:2
 Authentication Method: RSA Digital Signature 2048-bits
 CFG Inner-IP 10.17.33.235
 IPSEC SA Rekey Number: 0
 Aruba AP
 
 
(Aruba) #show crypto ipsec sa peer 10.20.25.43
 
 Initiator IP: 10.20.25.43
 Responder IP: 10.17.32.246
 Initiator: No
 SA Creation Date: Tue Oct 14 12:12:31 2014
 Life secs: 7200
 Exchange Type: IKE_SA (IKEV2)
 Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
 Encapsulation Mode Tunnel
 PFS: no
 IN SPI: 9904C500, OUT SPI: D9B81900
 CFG Inner-IP 10.17.33.235
 Responder IP: 10.17.32.246
 
 
(Aruba) #show ap database long
 
AP Database
-----------
Name               Group       AP Type  IP Address    Status     Flags  Switch IP     Standby IP  Wired MAC Address  Serial #   Port  FQLN  Outer IP     User
----               -----       -------  ----------    ------     -----  ---------     ----------  -----------------  --------   ----  ----  --------     ----
00:0b:86:8e:f5:89  default     RAP-3WN  10.17.33.235  Up 15m:8s  Rc2uJ  10.17.32.246  0.0.0.0     00:0b:86:8e:f5:89  BF0051760  N/A   N/A   10.20.25.43
Version history
Revision #:
1 of 1
Last update:
‎04-07-2015 02:16 PM
Updated by:
 
Labels (1)
Contributors
Comments

Hi 

 

Do we need to upload server cert and trusted CA on controller or just trusted CA ? 

 

Thanks

SJ

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.