Monitoring, Management & Location Tracking

Requirement:

This article helps to setup certification authentication and Two-Factor authentication for Airwave Web UI.

Airwave allow Administrator to specify whether to require a certificate during authentication and whether to use two-factor authentication (certificate and user login) when logging in to Airwave WebUI.

• Generate client certificate to use when logging in to Airwave web UI.

Note: Airwave uses "otherName" field value from certificate as login username. Make sure the certificate contains valid otherName field to use as username.

In this example, I am using openssl to generate client certificate CSR with required fields.

• Import the generated client certificate  to web browser to use when trying to login to Airwave UI.

Steps:

Sample csr_details config file:

--------

[req]

default_bits = 2048

prompt = no

default_md = sha256

distinguished_name = dn

[ dn ]

C=US

ST=California

L=Santa Clara

O=Aruba Networks

OU=NSLAB

emailAddress=nimal@hpe.com

CN = nimalamplogin

[v3_req]   

subjectAltName = "otherName:1.3.6.1.4.1.311.20.2.3;UTF8:nimalamplogin"

--------

Sample openssl command to generate CSR and private key file.

openssl req -new -nodes -newkey rsa:2048 -reqexts v3_req -config <( cat csr_details.txt ) -keyout privatekey.pkey -out cert.csr

Use the CSR to generate signed certificate from a valid certificate authority. 

Sample command to generate pfx file combining the certificate and private key file:

openssl pkcs12 -export -out nimalamplogin.pfx -inkey privatekey.pkey -in nimalamplogin.pem

• Configure Airwave server to use certificate to login to webUI.

From AMP Setup > Authentication page, configure “Enable Certificate Authentication” field to Yes.

Copy and paste the PEM-encoded CA certificate bundle in “CA Certificate Bundle” field.

Notes:

Configure “Require Certificate to Authenticate” field to Yes, if certificate is must to login to Airwave webUI.

Configure “Use Two-Factor Authentication” field to Yes, if need to enable two factor authentication.

Login to Airwave server WebUI using the client certificate generated.

From /var/log/httpd/access_log, verifiy the authentication status.

10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:33 -0700] "POST /LOGIN HTTP/1.1" 302 266 110784"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"

10.5.80.209 - - [28/Jul/2017:17:28:33 -0700] "GET /index.html HTTP/1.1" 200 1170 64811"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"

10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:33 -0700] "GET /api/user_prefs.json HTTP/1.1" 200 1539 19021"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"

10.5.80.209 - - [28/Jul/2017:17:28:33 -0700] "GET /frappe/script/Locale-en.json HTTP/1.1" 200 29 234"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"

10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:34 -0700] "GET /amp_stats.json HTTP/1.1" 200 1860 18557"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"

10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:34 -0700] "GET /api/navigation.json?url=%2Fuser_info HTTP/1.1" 200 1361 61130"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"

10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:34 -0700] "GET /nf/user_info? HTTP/1.1" 200 3295 141538"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"