Security

Reply
MVP
Posts: 1,412
Registered: ‎11-30-2011

2048 bits cert for guest access on arubaos 5.x?

looking a the recent advisory about the expiration of the built in certificate im wondering about older aruba controllers (i.e. 800, 2400) which cant run 6.x. they can't use more then 1024 bits certificates for the Administrative WebUI (and EAP termination), but what about the guest portal, can they use the 2048 bits certificates there?

 

if so, would it be possible to export the publicly signed CA certificate from a recent 6.x arubaos controller and use it just for guest access.

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: 2048 bits cert for guest access on arubaos 5.x?


boneyard wrote:

looking a the recent advisory about the expiration of the built in certificate im wondering about older aruba controllers (i.e. 800, 2400) which cant run 6.x. they can't use more then 1024 bits certificates for the Administrative WebUI (and EAP termination), but what about the guest portal, can they use the 2048 bits certificates there?

 

if so, would it be possible to export the publicly signed CA certificate from a recent 6.x arubaos controller and use it just for guest access.


5.x cannot use 2048 bit certificates, unfortunately.

 

The certificate that is needed is the server certificate and the private key.  The built in server certificate and the private key cannot be exported from 6.x, unfortunately.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: 2048 bits cert for guest access on arubaos 5.x?

is that "cannot use 2048 bits certificates" period? because in a thread like this it seems you can "use" 2048 bits certificates for guest access in 3.x already:

http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Aruba6000-Version-3-4-5-1-Switched-form-1024-to-2048-bit-cert/td-p/86138

 

with nothing mentioned about it not working in 5.x.. The pdf explaining the issue only clearly mentions "ArubaOS 5.x accepts only 1024 - bit Server Certificate for Administrative WebUI." so nothing on either EAP or guest access. i can understand this might be the same for the others, but it doesn't become really clear.

 

the export part is clear, thanks cjoseph. i assume requesting a certificate for securelogin.arubanetworks.com isn't going to be allowed if you dont own the domain. so if we would request securelogin.owndomain.com is it just  a matter of changing the guest access cert to make this work right?

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: 2048 bits cert for guest access on arubaos 5.x?

[ Edited ]

"If you are running any release prior to 6.1, you may use a certificate with a 2048-bit or 4096-bit key only for captive portal and WebUI. 802.1X EAP termination supports only 1024-bit keys. For WebUI or captive portal, performance is the greatest with smaller key sizes, but security is slightly reduced. "  -  This is the latest from the Support Advisory.  Things can change over time, so it is best to look at the last official set of information for the correct details.

 

You would request a certificate for whatever domain you want, correct (yours is preferable).

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: 2048 bits cert for guest access on arubaos 5.x?

sorry but im even more confused now, can or can't i use a 2048 bits certificate for captive portal with version 5.x (to be really specific 5.0.4.13)?

 

the line you quote says you should be able to for captive portal and webui, while the line i quoted from the same document says you cant use 2048 bits for webui (but mentions nothing about about captive portal).

 

in my opinion it would be worth for aruba to clarify this in a updated advisory with simple table or such. so per use: webui, captive portal, eap termination and the certificate key size.

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: 2048 bits cert for guest access on arubaos 5.x?

We will get someone to clarify. 

 

Thank you for pointing that out.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: 2048 bits cert for guest access on arubaos 5.x?


boneyard wrote:

sorry but im even more confused now, can or can't i use a 2048 bits certificate for captive portal with version 5.x (to be really specific 5.0.4.13)?

 

the line you quote says you should be able to for captive portal and webui, while the line i quoted from the same document says you cant use 2048 bits for webui (but mentions nothing about about captive portal).

 

in my opinion it would be worth for aruba to clarify this in a updated advisory with simple table or such. so per use: webui, captive portal, eap termination and the certificate key size.


Boneyard,

 

The advisory has been updated to clarify.  You can use A 2048 bit certificate for both Captive Portal and WebUI on 5.x.  You just cannot use a 2048 bit for EAP Termination.

 

 http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=12213

 

 

"If you are running any release prior to 6.1, you may use a certificate with a 2048-bit or 4096-bit key only for captive portal and WebUI.   802.1X EAP termination only supports only 1024-bit keys".

 

Thank you for your patience.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: 2048 bits cert for guest access on arubaos 5.x?

thanks for getting that clarified cjoseph.

 

would it then be possible to also add the 2048 bits certificate to a new 5.x release so customers still can use an Aruba provided publicly CA signed certificate?

Guru Elite
Posts: 20,761
Registered: ‎03-29-2007

Re: 2048 bits cert for guest access on arubaos 5.x?

[ Edited ]

boneyard wrote:

thanks for getting that clarified cjoseph.

 

would it then be possible to also add the 2048 bits certificate to a new 5.x release so customers still can use an Aruba provided publicly CA signed certificate?


Boneyard,

  

 

Aruba has for years recommended replacing all certificates with your own cert and not using the built-in ones.  The new 2048 bit built-in certificate for the Administration WebUI and Captive Portal will be self-signed to reflect the fact that it is a security best practice to replace it.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,412
Registered: ‎11-30-2011

Re: 2048 bits cert for guest access on arubaos 5.x?

Totally understandable, still for the 6.x version it seems (mentioned in the advisory) a new certificate signed by a public CA is provided. But for the 5.x version this doesn't happen, while we now have determined it can be used. So why the difference?

Search Airheads
Showing results for 
Search instead for 
Did you mean: