Wireless Access

Reply
Super Contributor II
Posts: 1,124
Registered: ‎07-13-2010

Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

[ Edited ]

Issued October 10, 2013

 

SUMMARY
The default "Server Certificate" in older ArubaOS releases installed on your Mobility
Controllers and Mobility Access Switches will expire on November 21, 2013.
While this default certificate was never intended for production use, Aruba is aware that a
number of our customers are using this certificate in the production networks typically for
Administrative WebUI and securing the Captive Portal login screen in guest networks.
On Mobility Controllers running ArubaOS_6.1.3.8 or ArubaOS_5.0.4.12 and earlier, and
Mobility Access Switches running ArubaOS_MAS_7.2.3.0 and earlier, customers using the
default Server Certificate should expect to experience following issues when the default
certificate expires on 11/21/2013.

 

Users connecting to Captive Portal or Controller’s WebUI will receive a browser warning

showing that the server certificate has expired. 

Workaround: Users may bypass the warning (with varying degrees of difficulty
depending on the browser) and continue on to use the system normally.
If EAP termination has been enabled for 802.1X, and the default certificate is being
used as the server certificate, many client operating systems will refuse to continue
the authentication process. This will result in an apparent network outage for these
users. Client operating systems may or may not display a warning message to the
user.

Workaround: Disable EAP termination on the controller or switch and let the clients
complete EAP exchanges directly with the authenticator (RADIUS server) as long as
the RADIUS Server has a Server Certificate installed whose Root/Issuing Certificate
Authority is trusted by the clients.

 

SOLUTION

Aruba Networks recommends the following two options, in order of preference, to replace
the default certificate installed on the controllers.
 Option 1: Replace the default certificate with a certificate issued by an internal
certificate authority or a public certificate authority. *This option provides the greatest
security*.

 Option 2: Upgrade ArubaOS software

o On Mobility Controllers running :
 6.1.3.8 and earlier – upgrade to ArubaOS 6.1.3.9 or later
 5.0.4.12 and earlier – upgrade to ArubaOS 5.0.4.13 or later

o On Mobility Access Switches running –
 7.2.3.0 and earlier – upgrade to ArubaOS 7.2.3.1 (available Oct 30, 2013)

This option however, does not provide good security because all Aruba controllers
have the same certificate and impersonation attacks are possible.

 

More information available in the attached document. 

 

 

Sean Rynearson | Chief Airhead
Aruba, a Hewlett Packard Enterprise Company
MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

Thanks Sean.  Already send a mass emails to my clients.  We already scheduling upgrades for our clients with local support with us :)

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
New Contributor
Posts: 1
Registered: ‎07-14-2010

Re: Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

Hi Sean,

 

I did 1 upgrade on a 200 controller without any issues. A customer of ours did an upgrade on 2 800's. On those the certificate wasn't replaced. Could it be that the certificate wasn't replaced in the 800 image for 5.0.4.13? 

 

Regads,

 

Remco

MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

Actually i had the same issue but when i upgraded to 6.1.3.10...  the certificate never replaced... so i upgraded it to 6.2.1.4 and now i can see a new certificate which expire in 2017...


The bad thing is that you cannot upgrade it to 6.2.1.4

 

I advice you to open a support case

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 1,442
Registered: ‎10-25-2011

Re: Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

Nightshade? How did you know it was not replaced? How did you validate this?

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

Well you can see it by looking at the certificate here:

 

certificate1.PNG

 

Thats my office controller which is on  6.2.1.4

 

Now lets see a controller which hasnt been upgraded to the proper firmware

 

certificate3.JPG

 

 

 

You see that it expire on 11/21/2013 in there...

 

Now how did i get in there?

Go to the lock in the browser like this image

certificate4.PNG

 

Click more information

certificate5.PNG

 

And there you go...

 

You can do it on any browser... i used mozilla

 

Hope that helps

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 3,020
Registered: ‎10-25-2011

Re: Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

For some reason when i upgarded to 6.1.3.10 that was not changed... it keep saying that the certificate was expiring on 11/21/2013 so i just upgarded it to 6.2.1.4...

 

I saw on another controller which is on 6.1.3.9 which it DID changed it to  2017 which is okay...

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 1,442
Registered: ‎10-25-2011

Re: Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

Awesome thanks.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Guru Elite
Posts: 21,561
Registered: ‎03-29-2007

Re: Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

There was indeed a bug in 5.0.4.13 where it did not replace the certificate on the 800 platform. 5.0.4.14 has been released to remedy that.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,442
Registered: ‎10-25-2011

Re: Support Advisory: ArubaOS Default Certificate Expiration 11/21/2013

Has anyone received any complaints for IOS devices having to accept the new certificates and specifically IOS7 devices having to accept multiple times??
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: