Wireless Access

last person joined: 9 minutes ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Adding new MDs to VMM - factory cert

Jump to Best Answer
  • 1.  Adding new MDs to VMM - factory cert

    Posted Mar 04, 2020 10:01 AM
      |   view attached

    Hello,

    We have an AOS 8 environment consisting of VMM, and pair of 7005 MDs. Originally, we added local controllers during initial config using IPSec Key, and all worked OK. As we are using this setup for our RAP estate we have externally facing interface on both 7005s. One of the requirements from pen-testing was to disable aggressive mode (crypto-local isakmp disable-aggressive-mode), and that lead to warning:

     

    Warning: Disabling Aggressive Mode will impact othersessions which use aggressive mode

    like Master-Local IKE session with PSK. Change those sessions to Cert-based

     

    We than tried to change discovery method to use factory certificate, but once we did that both controllers started showing as Down on MM.

     

    I suppose that first question is if we can use cert-based controller discovery on Virtual MM, and if the answer is yes second question will be why did our approach fail? Thanks. 



  • 2.  RE: Adding new MDs to VMM - factory cert
    Best Answer

    Posted Mar 04, 2020 04:17 PM

    Hi NesaM,

     

    Doing Certificate based IPSec is possible. To answer your first question. 

     

    The reason why it might fail is trust. The HW based controllers like the 7005's will use their TPM based certificate. But the VMM does not have a TPM chip nor a TPM based certificate. And here is the mismatch. I described the different options here:

     

    https://www.flomain.de/2017/12/arubaos-8-controller-deployment/

     

    It might be helpful. 

     

    BR

    Florian



  • 3.  RE: Adding new MDs to VMM - factory cert

    Posted Mar 04, 2020 04:45 PM

    Hi Florian,

    Thanks on your reply. I will have a look at your blog and let you know if any of offered solutions worked for us. Much appreciated. 



  • 4.  RE: Adding new MDs to VMM - factory cert

    Posted Mar 05, 2020 03:27 PM

    Great post Florian, thanks. We will use it in future. As it stands we will have to change our VMs for HW appliances.



  • 5.  RE: Adding new MDs to VMM - factory cert

    Posted Mar 05, 2020 11:45 PM

    Hi NesaM,

     

    By using Activate you don't have to. While using activate for MM discovery the MD will also download the self-signed CA from Activate to trust the certificate from the VMM. 

     

    BR

    Florian



  • 6.  RE: Adding new MDs to VMM - factory cert
    Best Answer

    Posted Mar 11, 2020 12:25 PM

    Great blog Florian. Note you can also use the self-signed cert on the MM as the CA cert, and if hardware MD they can use the factory cert.

     

    crypto pki export ca-cert pem self-signed

     

    This will print out the cert in pem format. Copy to a file. In this example I have called it sc-root-ca.

    At the folder level import this cert as a TrustedCA.

    Go to the device level in cli and apply the following masterip config.

     

    masterip <master-ip> ipsec-custom-cert master-mac-1-c <MM-ma> ca-cert sc-root-ca server-cert factory-cert interface vlan <controller-vlan>

     

    On MM level you need to add the node.

     

    local-custom-cert local-mac <MD-mac> ca-cert factory-ca-cert server-cert self-signed-field-cert