Controller Based WLANs

How to use custom certificate on RAP ?

by ‎11-25-2015 01:14 PM - edited ‎11-25-2015 01:14 PM
Q:

How to use custom certificate on RAP ?



A:

From 6.3 RAP supports custom certificate both RSA and ECDSA for forming IPSEC tunnel with controller.

We can use the RAP console page to generate the CSR and upload the Certificate / Root CA . If you have intermediate CA bundle them in PEM format and upload it

Similarly on controller side we need to generate the CSR and upload the certificates .Then map the server and CA certificate uploaded to the VPN service 

(Host) (config) #crypto-local isakmp server-certificate
<server_certificate_name>

To add the CA certificate to verify the RAP certificate:

(Host) (config) #crypto-local isakmp ca-certificate <trusted CA>

We can use the following command verify if RAP is using the custom certificate

(Host) #show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
10.1.1.250       10.1.1.2         b9dd7900/79f0dc00  UT2   Jul 27 10:15:48   8.1.1.6

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

(Host) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
10.1.1.250       10.1.1.2       r-v2-e-Ru Jul 27 10:15:48   8.1.1.6

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1

(Host) #show crypto isakmp sa peer 10.1.1.250

 Initiator IP: 10.1.1.250
 Responder IP: 10.1.1.2
 Initiator: No
 Initiator cookie:b062da0c64289dda Responder cookie:c651d1e3dd23c0ab
 SA Creation Date: Mon Jul 27 10:15:48 2015
 Life secs: 28800
 Initiator Phase1 ID: C=US S=CA L=sunneyvale O=Aruba OU=IT CN=00:0b:86:9e:08:45 E=test5@arubanetworks.com
 Responder Phase1 ID: C=US S=CA L=Sunneyvale O=Aruba OU=IT CN=Controller E=test2@arubanetworks.com
 Exchange Type: IKE_SA (IKEV2)
 Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA2_384_192 DHGroup:20
 Authentication Method: ECDSA with SHA-384 on the P-384 curve
 CFG Inner-IP 8.1.1.6
 IPSEC SA Rekey Number: 0
 Aruba AP
 
 (Host) #show crypto ipsec sa peer 10.1.1.250

 Initiator IP: 10.1.1.250
 Responder IP: 10.1.1.2
 Initiator: No
 SA Creation Date: Mon Jul 27 10:15:48 2015
 Life secs: 7200
 Exchange Type: IKE_SA (IKEV2)
 Phase2 Transform:Encryption Alg: AES-GCM 256 Authentication Alg:
 Encapsulation Mode Tunnel
 IP Compression Disabled
 PFS: no
 IN SPI: B9DD7900, OUT SPI: 79F0DC00
 CFG Inner-IP 8.1.1.6
 Responder IP: 10.1.1.2
 
 Please note the certificate uploaded on RAP will be stored in flash memory and once we reset the RAP it will be removed and it will start using the default certificate 
 


Attachments:
screenshot1.JPG
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.