AMP 8.0 and above version
Aruba Controller latest version
Aruba Controller supports uploading customized captive portal server certificate. The captive portal server certificates verifies internal captive portal server’s identity to the client.
Airwave Management server (AMP) can be used to manage Aruba Controller certificates like web server certificate, captive portal server certificate.
The AMP performs basic certificate verification (such as certificate type, format, version, serial number and so on), before accepting the certificate and uploading to an Aruba Controller. The AMP packages the text of the certificate into an HTTPS message and sends it to the Aruba Controller. After Controller receives this message, it draws the certificate content from the message and saves it.
Loading a certificate in Airwave:
- From Device Setup >> Certificates page, click ‘Add’ to upload a new certificate.
- From certificate upload, enter certificate name and choose certificate file.
- Enter the passphrase if any.
- Select appropriate format that matches the certificate file.
- Select the certificate type as ‘Server Cert’
Selecting the certificate for Controller:
Note: User **MUST** resolve configuration audit mismatches for the controller before performing the activity below to avoid unexpected configuration push to controller. Contact Aruba Support when need help in resolving mismatch for Controller.
1. Navigate to the AMP APs/Devices >> Manage page for the specific controller.
2. From Aruba overrides section, select ‘Add’ to the certificate need to be pushed to controller.
3. Update the Web SSH Management Profile default with the new captive portal certificate.
4. Update the Management mode to ‘Manage Read/Write’.
5. Click save and apply the push the certificate/config to Controller.
Using AMP Server:
From /var/log/system/ap/<ap id>/telnet_cmds file, verify the AMP progress to push configuration to Aruba controller.
Aruba controller command “show audit-trail” and “show web-server profile” confirm the certificate push and captive portal certificate in use.
Sep 9 18:04:53 webui: USER:email@example.com COMMAND:<crypto pki-import pkcs12 ServerCert "Controller_CP_cert" "controller1.nslab.com.p12" ****** > -- command executed successfully
Sep 9 18:04:53 webui: USER:firstname.lastname@example.org COMMAND:<crypto-local pki ServerCert "Controller_CP_cert" "controller1.nslab.com.p12" > -- command executed successfully
Sep 9 18:05:06 fpcli: USER:email@example.com COMMAND:<web-server profile captive-portal-cert "Controller_CP_cert" > -- command executed successfully
#show web-server profile
Web Server Configuration
Cipher Suite Strength high
SSL/TLS Protocol Config tlsv1 tlsv1.1 tlsv1.2
Switch Certificate default
Captive Portal Certificate Controller_CP_cert
IDP Certificate default
Management user's WebUI access method username/password
User session timeout <30-3600> (seconds) 900
Maximum supported concurrent clients <25-320> 25
Enable WebUI access on HTTPS port (443) false
Web Lync Listen Protocol/Port Config N/A
Enable bypass captive portal landing page false
Exclude Security Headers from HTTP Response false