Certificate-based Security for IAP/AMP Communication

Aruba Employee
Problem:
=======
The existing security model for IAP/AMP communication is based on a pre-shared secret; it can be considered weak by managed service providers
 
Configuration Steps :
 
About Airwave server/backup server, ip address or domain name are supported now

User-added image
 
Solution:
=======
* IAP support the same certificate-based mutual authentication scheme as that for Activate/Aruba Central communication
* Requires the AMP to support uploading a custom certificate to be uploaded through its UI
 
P.S
* IAP will use certificate-based authentication if no pre-shared secret is set in its AMP configuration
* The AMP certificate must be signed by Komodo, Geotrust, or Google Public Internet Authority
* IAP must be configured with the AMP Server’s certified domain name
 
Commands to verify
=================
AMP status: show ap debug airwave
 
d8:c7:c8:c4:57:38# show ap debug airwave
 
Airwave Server List
-------------------
Domain/IP Address  Type     Mode     Status
-----------------  ----     ----     ------
10.65.182.15       Primary  Monitor  Login-done
awc logs
=======
 
show log ap-debug

User-added image

 

Version history
Revision #:
1 of 1
Last update:
‎07-05-2014 06:09 PM
Updated by:
 
Labels (1)
Contributors
Comments
gclass

Hello,

 

Thanks for this, it's really interesting but I still have a question: is it necessary that the certificate has the same name as the server ? (FQDN)

Thanks !

Guillaume

(sorry for my english)

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.