Requirement:
This article helps to setup certification authentication and Two-Factor authentication for Airwave Web UI.
Solution:Airwave allow Administrator to specify whether to require a certificate during authentication and whether to use two-factor authentication (certificate and user login) when logging in to Airwave WebUI.
Configuration:
- Generate client certificate to use when logging in to Airwave web UI.
Note: Airwave uses "otherName" field value from certificate as login username. Make sure the certificate contains valid otherName field to use as username.
In this example, I am using openssl to generate client certificate CSR with required fields.
- Import the generated client certificate to web browser to use when trying to login to Airwave UI.
Steps:
Sample csr_details config file:
--------
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
C=US
ST=California
L=Santa Clara
O=Aruba Networks
OU=NSLAB
emailAddress=nimal@hpe.com
CN = nimalamplogin
[v3_req]
subjectAltName = "otherName:1.3.6.1.4.1.311.20.2.3;UTF8:nimalamplogin"
--------
Sample openssl command to generate CSR and private key file.
openssl req -new -nodes -newkey rsa:2048 -reqexts v3_req -config <( cat csr_details.txt ) -keyout privatekey.pkey -out cert.csr
Use the CSR to generate signed certificate from a valid certificate authority.
Sample command to generate pfx file combining the certificate and private key file:
openssl pkcs12 -export -out nimalamplogin.pfx -inkey privatekey.pkey -in nimalamplogin.pem
- Configure Airwave server to use certificate to login to webUI.
From AMP Setup > Authentication page, configure “Enable Certificate Authentication” field to Yes.
Copy and paste the PEM-encoded CA certificate bundle in “CA Certificate Bundle” field.
Notes:
Configure “Require Certificate to Authenticate” field to Yes, if certificate is must to login to Airwave webUI.
Configure “Use Two-Factor Authentication” field to Yes, if need to enable two factor authentication.
VerificationLogin to Airwave server WebUI using the client certificate generated.
From /var/log/httpd/access_log, verifiy the authentication status.
10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:33 -0700] "POST /LOGIN HTTP/1.1" 302 266 110784"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.5.80.209 - - [28/Jul/2017:17:28:33 -0700] "GET /index.html HTTP/1.1" 200 1170 64811"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:33 -0700] "GET /api/user_prefs.json HTTP/1.1" 200 1539 19021"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.5.80.209 - - [28/Jul/2017:17:28:33 -0700] "GET /frappe/script/Locale-en.json HTTP/1.1" 200 29 234"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:34 -0700] "GET /amp_stats.json HTTP/1.1" 200 1860 18557"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:34 -0700] "GET /api/navigation.json?url=%2Fuser_info HTTP/1.1" 200 1361 61130"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"
10.5.80.209 - nimalamplogin [28/Jul/2017:17:28:34 -0700] "GET /nf/user_info? HTTP/1.1" 200 3295 141538"https://10.162.112.230/user_info" "User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0"