Problem:
When logging in to the controller WebUI, below error is displayed on the browser
"X509 Certificate is needed to access this system"
Diagnostics:
One of the reason for this error is when "Management user's WebUI access method is mapped " under Web Server profile is mapped to Certificate and when there are no Management users added to use Certificate.
This can be confirmed using below command.
(Aruba-7200) [mynode] (Web Server Configuration) #show web-server profile
Web Server Configuration
------------------------
Parameter Value
--------- -----
Cipher Suite Strength high
SSL/TLS Protocol Config tlsv1 tlsv1.1 tlsv1.2
Switch Certificate Aruba_cert_new
Captive Portal Certificate default
IDP Certificate default
Management user's WebUI access method certificate
User absolute session timeout <30-3600> (seconds) 0
User session timeout <30-3600> (seconds) 900
Maximum supported concurrent clients <25-320> 75
Enable WebUI access on HTTPS port (443) true
Enable bypass captive portal landing page false
Exclude Security Headers from HTTP Response false
VIA client-cert port number 8085
(Aruba-7200) [mynode] #show mgmt-user webui-cacert
Management WebUI Certificate User Table
---------------------------------------
CA-CERT SERIAL USER ROLE STATUS Max-concurrent-sessions PATH
------- ------ ---- ---- ------ ----------------------- ----
<--- No Users are configured here
Solution
There are 2 solutions outlined below based on the requirement.
Solution 1:
If you wish to use certificate based authentication, below command can be used to add the management user with certificate information.
configure terminal
mgmt-user webui-cacert <name of the RootCA Certificate> serial <Serial number of the client certificate> <username> <management role>
Example:
mgmt-user webui-cacert Aruba_cert_new_CA serial 1d0000000e4945783710f44bb700010000000e labuser1 root
To Validate:
(Aruba-7200) [mynode] (Web Server Configuration) #show web-server profile
Web Server Configuration
------------------------
Parameter Value
--------- -----
Cipher Suite Strength high
SSL/TLS Protocol Config tlsv1 tlsv1.1 tlsv1.2
Switch Certificate Aruba_cert_new
Captive Portal Certificate default
IDP Certificate default
Management user's WebUI access method certificate
User absolute session timeout <30-3600> (seconds) 0
User session timeout <30-3600> (seconds) 900
Maximum supported concurrent clients <25-320> 75
Enable WebUI access on HTTPS port (443) true
Enable bypass captive portal landing page false
Exclude Security Headers from HTTP Response false
VIA client-cert port number 8085
(Aruba-7200) [mynode] (Web Server Configuration) #show mgmt-user webui-cacert
Management WebUI Certificate User Table
---------------------------------------
CA-CERT SERIAL USER ROLE STATUS Max-concurrent-sessions PATH
------- ------ ---- ---- ------ ----------------------- ----
Aruba_cert_new_CA 1D0000000E4945783710F44BB700010000000E labuser1 root ACTIVE N/A /
Solution 2:
If you would like to keep management authentication with just username and password, below commands can be used to avoid this error
configure terminal
web-server profile mgmt-auth username/password
To validate
(Aruba-7200) [mynode] (Web Server Configuration) #show web-server profile
Web Server Configuration
------------------------
Parameter Value
--------- -----
Cipher Suite Strength high
SSL/TLS Protocol Config tlsv1 tlsv1.1 tlsv1.2
Switch Certificate Aruba_cert_new
Captive Portal Certificate default
IDP Certificate default
Management user's WebUI access method username/password
User absolute session timeout <30-3600> (seconds) 0
User session timeout <30-3600> (seconds) 900
Maximum supported concurrent clients <25-320> 75
Enable WebUI access on HTTPS port (443) true
Enable bypass captive portal landing page false
Exclude Security Headers from HTTP Response false
VIA client-cert port number 8085
This will get rid of the error and will let you login using username and password