The point of having a central authorization and audit/accounting point is not present in LDAPs.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Jan 08, 2021 08:36 AM
From: marcel koedijk
Subject: Adding certificate to AirWave
Thanks Herman! Didn't known that TACACS+ also have weaknesse but as you said its a good thing to use a dedicated and separated management VLAN.
If the known issue in Airwave is fixed, it sounds like LDAP over SSL is more secure then RADIUS/TACACS+. Is it ok to use LDAP over SSL rather than TACACS+, are there some other things to consider?
------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
Original Message:
Sent: Jan 08, 2021 08:18 AM
From: Herman Robers
Subject: Adding certificate to AirWave
Let me partially disagree with that on the point that encryption on either RADIUS and TACACS+ should not be relied on as both are either absent or extremely weak or broken.
From a security standpoint, consider all TACACS+ or RADIUS traffic as 'sensitive' and make sure it is not passing through points where it can be easily sniffed or make sure it is sent through a VPN tunnel or similar. Note that 802.1X uses a TLS tunnel inside the RADIUS in most cases (EAP-PEAP, EAP-TTLS), so passwords are protected in that scenario by TLS. EAP-TLS doesn't use passwords.
What remains is that due to history TACACS+ is more used for admin authentication of network devices and RADIUS for other purposes including network authentication.
To come back to the original question around Airwave authentication, using TACACS+ or RADIUS may have the benefit over LDAP that you have the access decision on your ClearPass (or other RADIUS/TACACS+) based on multiple checks, instead of on the Airwave where you can filter on AD groups but that is configured on Airwave itself. As well you have an external audit trail of who logged in when on the ClearPass.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Jan 07, 2021 02:14 PM
From: marcel koedijk
Subject: Adding certificate to AirWave
Thats correct, at the moment LDAP over SSL is an known issue.
RADIUS will work fine but TACACS+ will be a better choice, because:
- RADIUS = UDP
- TACACS+ = TCP (which have a control mechanisme)
- RADIUS only encrypted the password by the PSK key, other attributes and username are plaintext.
- TACACS+ encrypted the full frame by the PSK key.
So it's beter to use TACACS+ for login authentication, RADIUS is beter for network authentication.
------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
Original Message:
Sent: Jan 07, 2021 02:02 PM
From: Ken Sauter
Subject: Adding certificate to AirWave
I was using LDAP to authenticate to management page of AirWave. I was thinking about RADIUS as well.
I did open a case was able to add certificates, but when signing into AirWave with a certificate, I wasn't able to login. Is that what you are saying, that it is a known bug?
------------------------------
Ken Sauter
Original Message:
Sent: Dec 22, 2020 04:03 PM
From: marcel koedijk
Subject: Adding certificate to AirWave
Hi Ken,
By re-read your post i see you like to use a certificate for LDAP, probably for secure LDAP over SSL on port 636. Based on this case i was testing this for you in my homelab. LDAP (389) works but LDAP over SSL was not working for me (with imported the needed ca-cert). End-up with the Aruba Instant 8.7.0.x User Guide where is noted that LDAP over SSL is currently not supported on Aruba Instant.
https://support.hpe.com/hpesc/public/docDisplay?docId=a00101274en_us
(page 233)
Where do you like to use LDAP for? As authentication source in your instant virtual clusters or for login at the management page of Airwave? You could also consider TACACS or RADIUS as beter alternative.
------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
Original Message:
Sent: Dec 22, 2020 04:58 AM
From: Herman Robers
Subject: Adding certificate to AirWave
If you share the DER/CER/p7b in a personal message, I can have a look if I can import it in my Airwave.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Dec 21, 2020 11:58 AM
From: Ken Sauter
Subject: Adding certificate to AirWave
I am a little limited as to what I can do since I am not admin on my VM while working remotely. My admin was able to provide a .p7b, but I didn't have much luck adding the certificate.
I can ask for PEM/Base64, but would a .p7b work?
------------------------------
Ken Sauter
Original Message:
Sent: Dec 21, 2020 11:48 AM
From: Herman Robers
Subject: Adding certificate to AirWave
If you use your favorite search engine to search for 'convert der to pem' there are online tools and openssl commands to perform that. If you have PEM format you can at least read what is in there.
Or ask your admin to provide the certificates in PEM/Base64 format.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Dec 21, 2020 10:06 AM
From: Ken Sauter
Subject: Adding certificate to AirWave
So it sounds like I would need to import 2 certificates, the root and the intermediate that I have already. But it would be better if the certificates were in p12 or pfx.
The cert is not a PEM. I get binary stuff when I open the .cer and renamed .dem.
------------------------------
Ken Sauter
Original Message:
Sent: Dec 21, 2020 09:40 AM
From: Herman Robers
Subject: Adding certificate to AirWave
You should import the Root CA as 'Trusted CA' and might need to install the intermediate(s) as Intermediate CA. If it is a PEM file (with BEGIN CERTIFICATE sections), you can peel it apart, but probably import as Trusted CA at once might work.
If what you have only has BEGIN CERTIFICATE sections, so no PRIVATE KEY section, you can share it as a personal reply to me and I can have a quick look and try to import in my lab Airwave.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Dec 21, 2020 08:44 AM
From: Ken Sauter
Subject: Adding certificate to AirWave
Thank you Herman. I did try to rename the certificate and import it, but no luck. Do you know what type of certificate I should import as? Intermediate CA, Server Cert, etc? The certificate provided was a tertiary certificate from the root.
------------------------------
Ken Sauter
Original Message:
Sent: Dec 21, 2020 05:59 AM
From: Herman Robers
Subject: Adding certificate to AirWave
Can you get the certificate in a different format? Problem with .CER is that it is not really a well-defined format in many cases it is a PEM or DER format but with .cer extension.
You can try to rename the file to .pem and import as PEM, or rename to .der and import as DER if .pem doesn't work.
If you open the file in a text editor, if it is readable and has a line like -----BEGIN CERTIFICATE-----
in it, it is PEM format, if it is binary junk it is likely DER.
I prefer to use PEM for most purposes as it provides the least issues, and .p12 if it includes a private key like in a server or client certificate.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Dec 18, 2020 09:12 AM
From: Ken Sauter
Subject: Adding certificate to AirWave
I am trying to add a certificate to AirWave (v.8.2.11.2) to use encryption when authenticating with LDAP. My system admin gave me a .cer certificate and when I try to add the certificate, I get "Invalid Certificate file for 'CER' format." I tried adding with and without a passphrase and combination of "Types" (Intermediate CA, Trusted CA, etc.)
The certificate is valid as well. Any help would be appreciated.
------------------------------
Ken S.
------------------------------