Requirement:
When we work on registering / provisioning Aruba - Office Connect switches to Airwave prior to Airwave version 8.2.3.1, Airwave allows / accept when switch uses TLS1.0 or TLS 1.1 to send registering information through https to register the device.
In Airwave 8.2.3.1 TLS verion 1.0 and 1.1 is disabled by default due to security issues in these TLS version and allows only TLS 1.2 and you will see issues with switch registration.
Solution:We can resolve this by either upgrading the switch firmware to a version that uses TLS 1.2 by default. However as a workaround we could make Airwave to allow TLS.1.0 and 1.1 until you schedule to upgrade the Switch firmware to stay on a secure network.
Configuration:In Airwave navigate to AMP Setup --> General --> Additional AMP Services set the Disable TLS 1.0 and 1.1 as show below.
Disable TLS 1.0 and 1.1:
After changing the TLS status here you must restart the AMP to have it take effect. |
|
Save the setting and run the following command from Airwave to restart the pound services to apply the settings.
# service pound restart
Verification
Prior to enabling the setting to allow TLS 1.0 and 1.1, you could find the allowed TLS Cipher is only for TLS 1.2 as shown in the below below.
[root@amp-2-dev mercury]# nmap --script ssl-enum-ciphers -p 443 <Airwave IP>
Starting Nmap 5.51 ( http://nmap.org ) at 2017-03-14 12:20 PDT
Nmap scan report for amp-2-dev.attwifi.com (Airwave IP address)
Host is up (0.00024s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (6)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA256
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
When the setting to allow TLS 1.0 and 1.1 is set on Airwave, could find the following sets of allowed cipher for TLS 1.0, 1.1 and 1.2 you could also see the switch registration is successfull in amp_events log.
[root@amp-3-dev mercury]# nmap --script ssl-enum-ciphers -p 443 <Airwave ip>
Starting Nmap 5.51 ( http://nmap.org ) at 2017-03-14 12:23 PDT
Nmap scan report for amp-3-dev.attwifi.com (Airwave IP address)
Host is up (0.00030s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0
| Ciphers (6)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| Compressors (1)
| uncompressed
| TLSv1.1
| Ciphers (6)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA
| Compressors (1)
| uncompressed
| TLSv1.2
| Ciphers (12)
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
| TLS_RSA_WITH_AES_128_CBC_SHA
| TLS_RSA_WITH_AES_128_CBC_SHA256
| TLS_RSA_WITH_AES_256_CBC_SHA
| TLS_RSA_WITH_AES_256_CBC_SHA256
| Compressors (1)
|_ uncompressed
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds