Monitoring, Management & Location Tracking

How to register/provision Aruba/HPE OfficeConnect Switch to Airwave 8.2.3.1

Aruba Employee
Requirement:

When we work on registering / provisioning Aruba - Office Connect switches to Airwave prior to Airwave version 8.2.3.1, Airwave allows / accept when switch uses TLS1.0 or TLS 1.1 to send registering information through https to register the device.

In Airwave 8.2.3.1 TLS verion 1.0 and 1.1 is disabled by default due to security issues in these TLS version and allows only TLS 1.2 and you will see issues with switch registration.



Solution:

We can resolve this by either upgrading the switch firmware to a version that uses TLS 1.2 by default. However as a workaround we could make Airwave to allow TLS.1.0 and 1.1 until you schedule to upgrade the Switch firmware to stay on a secure network.



Configuration:

In Airwave navigate to AMP Setup --> General --> Additional AMP Services set the Disable TLS 1.0 and 1.1 as show below.

 

Disable TLS 1.0 and 1.1:
After changing the TLS status here you must restart the AMP to have it take effect.
  • No       Yes

 

Save the setting and run the following command from Airwave to restart the pound services to apply the settings.

 

# service pound restart

 

 

 



Verification

 

Prior to enabling the setting to allow TLS 1.0 and 1.1, you could find the allowed TLS Cipher is only for TLS 1.2 as shown in the below below.

 

[root@amp-2-dev mercury]# nmap --script ssl-enum-ciphers -p 443 <Airwave IP>

 

Starting Nmap 5.51 ( http://nmap.org ) at 2017-03-14 12:20 PDT

Nmap scan report for amp-2-dev.attwifi.com (Airwave IP address)

Host is up (0.00024s latency).

PORT    STATE SERVICE

443/tcp open  https

| ssl-enum-ciphers:

|   TLSv1.2

|     Ciphers (6)

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

|       TLS_RSA_WITH_AES_128_CBC_SHA256

|       TLS_RSA_WITH_AES_256_CBC_SHA256

|     Compressors (1)

|_      uncompressed

 

Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

 

When the setting to allow TLS 1.0 and 1.1 is set on Airwave, could find the following sets of allowed cipher for TLS 1.0, 1.1 and 1.2 you could also see the switch registration is successfull in amp_events log.

[root@amp-3-dev mercury]# nmap --script ssl-enum-ciphers -p 443 <Airwave ip>

 

Starting Nmap 5.51 ( http://nmap.org ) at 2017-03-14 12:23 PDT

Nmap scan report for amp-3-dev.attwifi.com (Airwave IP address)

Host is up (0.00030s latency).

PORT    STATE SERVICE

443/tcp open  https

| ssl-enum-ciphers:

|   TLSv1.0

|     Ciphers (6)

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

|       TLS_RSA_WITH_AES_128_CBC_SHA

|       TLS_RSA_WITH_AES_256_CBC_SHA

|     Compressors (1)

|       uncompressed

|   TLSv1.1

|     Ciphers (6)

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

|       TLS_RSA_WITH_AES_128_CBC_SHA

|       TLS_RSA_WITH_AES_256_CBC_SHA

|     Compressors (1)

|       uncompressed

|   TLSv1.2

|     Ciphers (12)

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

|       TLS_RSA_WITH_AES_128_CBC_SHA

|       TLS_RSA_WITH_AES_128_CBC_SHA256

|       TLS_RSA_WITH_AES_256_CBC_SHA

|       TLS_RSA_WITH_AES_256_CBC_SHA256

|     Compressors (1)

|_      uncompressed

 

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

Version history
Revision #:
1 of 1
Last update:
‎03-27-2017 06:44 AM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.