Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

TLS CipherSuites supported in Aruba AP-505

This thread has been viewed 16 times

  • 1.  TLS CipherSuites supported in Aruba AP-505

    Posted Sep 13, 2021 09:53 AM

    Hi

    When enabling ap1x in the AP-505 in order to authenticate the AP itself, I see the following cipher suites in the Client Hello message:

    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)

    Is it possible to enable other Cipher Suites?, e.g. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384?

    Thanks,
    Eyðun E. Jacobsen

    ----- snippet ----
    RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0xcc (204)
    Length: 489
    Authenticator: ba29e417ad2cd286cae1b4c44c370b0c
    [The response to this request is in frame 66533]
    Attribute Value Pairs
    AVP: t=Framed-MTU(12) l=6 val=1492
    AVP: t=NAS-IP-Address(4) l=6 val=192.168.161.4
    AVP: t=NAS-Identifier(32) l=10 val=KLI-SW01
    AVP: t=User-Name(1) l=5 val=ap4
    AVP: t=Service-Type(6) l=6 val=Framed(2)
    AVP: t=Framed-Protocol(7) l=6 val=PPP(1)
    AVP: t=NAS-Port(5) l=6 val=12
    AVP: t=NAS-Port-Type(61) l=6 val=Ethernet(15)
    AVP: t=NAS-Port-Id(87) l=4 val=12
    AVP: t=Called-Station-Id(30) l=19 val=ec-eb-b8-2d-69-40
    AVP: t=Calling-Station-Id(31) l=19 val=34-8a-12-cd-02-82
    AVP: t=Connect-Info(77) l=39 val=CONNECT Ethernet 1000Mbps Full duplex
    AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
    AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6)
    AVP: t=Tunnel-Private-Group-Id(81) l=3 val=1
    AVP: t=State(24) l=38 val=5e9d06670000013700011700fe800000000000003d90c15bfe721d4700000004327b101a
    Type: 24
    Length: 38
    State: 5e9d06670000013700011700fe800000000000003d90c15bfe721d4700000004327b101a
    AVP: t=EAP-Message(79) l=84 Last Segment[1]
    Type: 79
    Length: 84
    EAP fragment: 0241005219800000004816030300430100003f03036131319f80bd688f7bbc6e07c4601c…
    Extensible Authentication Protocol
    Code: Response (2)
    Id: 65
    Length: 82
    Type: Protected EAP (EAP-PEAP) (25)
    EAP-TLS Flags: 0x80
    1... .... = Length Included: True
    .0.. .... = More Fragments: False
    ..0. .... = Start: False
    .... .000 = Version: 0
    EAP-TLS Length: 72
    Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 67
    Handshake Protocol: Client Hello
    Handshake Type: Client Hello (1)
    Length: 63
    Version: TLS 1.2 (0x0303)
    Random: 6131319f80bd688f7bbc6e07c4601c53db3b53caa914e6bf6b3fc7910227eb36
    Session ID Length: 0
    Cipher Suites Length: 10
    Cipher Suites (5 suites)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
    Compression Methods Length: 1
    Compression Methods (1 method)
    Compression Method: null (0)
    Extensions Length: 12
    Extension: signature_algorithms (len=8)
    Type: signature_algorithms (13)
    Length: 8
    Signature Hash Algorithms Length: 6
    Signature Hash Algorithms (3 algorithms)
    AVP: t=Message-Authenticator(80) l=18 val=2dbf7686fa03fc742017927b678774b1
    Type: 80
    Length: 18
    Message-Authenticator: 2dbf7686fa03fc742017927b678774b1
    AVP: t=Vendor-Specific(26) l=12 vnd=Microsoft(311)
    AVP: t=Vendor-Specific(26) l=15 vnd=Hewlett-Packard(11)
    ------- --------


    ------------------------------
    Eyðun Eli Jacobsen
    ------------------------------


  • 2.  RE: TLS CipherSuites supported in Aruba AP-505

    EMPLOYEE
    Posted Sep 15, 2021 04:18 AM
    I have not seen that configurable on either controller APs or Instant APs. As I don't see responses, please reach out to Aruba Support to ask this question. They can tell if it is possible, and optionally guide you through the required steps to open an enhancement request if needed.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: TLS CipherSuites supported in Aruba AP-505

    Posted Sep 15, 2021 06:57 AM
    Thanks,

    I will contact aruba support.

    Eyðun

    ------------------------------
    Eyðun Eli Jacobsen
    ------------------------------

    Original Message