Wireless Access

Reply
Occasional Contributor II

CPSec Switch-Cert and Factory-Cert

Hi!

 

We are currently installing a new WLAN for a large public customer with 2500+ APs. Controle plane security is enabled and we have observed that some APs are provisioned with "factory-cert" and some are using the "switch-cert".

 

My understanding is, if the AP is coming with a pre-installed factory certificate this will be used for CPsec, if it is coming without the switch certificate is installed.

 

Now the customer has concerns that the factory-cert may be less secure than the switch-cert.

 

Therefore my question, what is the factory-cert? Is it a default one which is used for all APs or is it an individual certificate for every AP?

 

If it is a default certificate, which would be less secure, is there a way to delete it from the AP to force the installation of the switch certificates?

 

Thanks a lot for every answer!

 

Best regards

 

Markus

Highlighted
Aruba

Re: CPSec Switch-Cert and Factory-Cert

The "factory-cert" is unique to each AP and stored on the TPM chip of the AP.   When using control plane security, this is typically the certificate used to identify/authorize the AP.    APs without a TPM chip will typically be issued a "switch-cert" from the controller.

 

Below is an example of a factory cert on an AP-225 TPM.   The CN (Common Name) is unique to the serial number/MAC Address of the AP (altered below).

 

Version :3
Serial Number :33:5B:2B:7E:00:00:00:51:BC:60
Issuer :/UID=com/UID=arubanetworks/UID=dc-device-ca5/CN=device-ca5
Subject :/CN=CT078XXXX::84:d4:7e:XX:XX:XX
Issued On :Nov 12 05:23:28 2015 GMT
Expires On :Sep 14 03:21:14 2032 GMT
Signed Using :SHA1-RSA
RSA Key size :2048 bits

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II

Re: CPSec Switch-Cert and Factory-Cert

Hi!

 

Thanks very much for the answer, I was not able to find that information anywhere else!

 

So I can convince the customer that the factory-cert is secure and we don't need to worry about that!

 

Thanks again!

 

Markus

Regular Contributor I

Re: CPSec Switch-Cert and Factory-Cert

CPSEC config

1.PNG

I have a AP205. 

3.PNG

Below is the entry in whitelist-db.

Is this AP actually come up with factory cert or switch cert? 

2.PNG

 

Dec 17 20:26:39 fpcli: USER:admin@10.9.225.230 COMMAND:<control-plane-security > -- command executed successfully
Dec 17 20:26:44 fpcli: USER:admin@10.9.225.230 COMMAND:<control-plane-security no auto-cert-prov > -- command executed successfully
Dec 17 20:27:52 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec purge > -- command executed successfully
Dec 17 20:30:50 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec add mac-address "ac:a3:1e:c0:9e:1c" ap-group "default" ap-name "ac:a3:1e:c0:9e:1c" > -- command executed successfully
Dec 17 20:31:07 fpcli: USER:admin@10.9.225.230 COMMAND:<apboot ap-name "ac:a3:1e:c0:9e:1c" > -- command executed successfully
Dec 17 20:31:31 fpcli: USER:admin@10.9.225.230 COMMAND:<logging level debugging security > -- command executed successfully
Dec 17 20:53:55 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec modify mac-address "ac:a3:1e:c0:9e:1c" cert-type switch-cert > -- command executed successfully
Dec 17 20:54:42 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec modify mac-address "ac:a3:1e:c0:9e:1c" cert-type factory-cert > -- command executed successfully
Dec 17 20:54:49 fpcli: USER:admin@10.9.225.230 COMMAND:<whitelist-db cpsec modify mac-address "ac:a3:1e:c0:9e:1c" cert-type switch-cert > -- command executed successfully

Occasional Contributor II

Re: CPSec Switch-Cert and Factory-Cert

Hi!

 

It is running with Factory-Cert as you can see in the state! It is configured to use the switch cert, but as it has the build in factory cert this one is used...!

 

BR

 

Markus

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: