Security

last person joined: 6 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

TLS CipherSuites supported in Aruba AP-505

This thread has been viewed 14 times
  • 1.  TLS CipherSuites supported in Aruba AP-505

    Posted 11 days ago

    Hi

    When enabling ap1x in the AP-505 in order to authenticate the AP itself, I see the following cipher suites in the Client Hello message:

    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)

    Is it possible to enable other Cipher Suites?, e.g. TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384?

    Thanks,
    Eyðun E. Jacobsen

    ----- snippet ----
    RADIUS Protocol
    Code: Access-Request (1)
    Packet identifier: 0xcc (204)
    Length: 489
    Authenticator: ba29e417ad2cd286cae1b4c44c370b0c
    [The response to this request is in frame 66533]
    Attribute Value Pairs
    AVP: t=Framed-MTU(12) l=6 val=1492
    AVP: t=NAS-IP-Address(4) l=6 val=192.168.161.4
    AVP: t=NAS-Identifier(32) l=10 val=KLI-SW01
    AVP: t=User-Name(1) l=5 val=ap4
    AVP: t=Service-Type(6) l=6 val=Framed(2)
    AVP: t=Framed-Protocol(7) l=6 val=PPP(1)
    AVP: t=NAS-Port(5) l=6 val=12
    AVP: t=NAS-Port-Type(61) l=6 val=Ethernet(15)
    AVP: t=NAS-Port-Id(87) l=4 val=12
    AVP: t=Called-Station-Id(30) l=19 val=ec-eb-b8-2d-69-40
    AVP: t=Calling-Station-Id(31) l=19 val=34-8a-12-cd-02-82
    AVP: t=Connect-Info(77) l=39 val=CONNECT Ethernet 1000Mbps Full duplex
    AVP: t=Tunnel-Type(64) l=6 Tag=0x00 val=VLAN(13)
    AVP: t=Tunnel-Medium-Type(65) l=6 Tag=0x00 val=IEEE-802(6)
    AVP: t=Tunnel-Private-Group-Id(81) l=3 val=1
    AVP: t=State(24) l=38 val=5e9d06670000013700011700fe800000000000003d90c15bfe721d4700000004327b101a
    Type: 24
    Length: 38
    State: 5e9d06670000013700011700fe800000000000003d90c15bfe721d4700000004327b101a
    AVP: t=EAP-Message(79) l=84 Last Segment[1]
    Type: 79
    Length: 84
    EAP fragment: 0241005219800000004816030300430100003f03036131319f80bd688f7bbc6e07c4601c…
    Extensible Authentication Protocol
    Code: Response (2)
    Id: 65
    Length: 82
    Type: Protected EAP (EAP-PEAP) (25)
    EAP-TLS Flags: 0x80
    1... .... = Length Included: True
    .0.. .... = More Fragments: False
    ..0. .... = Start: False
    .... .000 = Version: 0
    EAP-TLS Length: 72
    Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 67
    Handshake Protocol: Client Hello
    Handshake Type: Client Hello (1)
    Length: 63
    Version: TLS 1.2 (0x0303)
    Random: 6131319f80bd688f7bbc6e07c4601c53db3b53caa914e6bf6b3fc7910227eb36
    Session ID Length: 0
    Cipher Suites Length: 10
    Cipher Suites (5 suites)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
    Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
    Compression Methods Length: 1
    Compression Methods (1 method)
    Compression Method: null (0)
    Extensions Length: 12
    Extension: signature_algorithms (len=8)
    Type: signature_algorithms (13)
    Length: 8
    Signature Hash Algorithms Length: 6
    Signature Hash Algorithms (3 algorithms)
    AVP: t=Message-Authenticator(80) l=18 val=2dbf7686fa03fc742017927b678774b1
    Type: 80
    Length: 18
    Message-Authenticator: 2dbf7686fa03fc742017927b678774b1
    AVP: t=Vendor-Specific(26) l=12 vnd=Microsoft(311)
    AVP: t=Vendor-Specific(26) l=15 vnd=Hewlett-Packard(11)
    ------- --------


    ------------------------------
    Eyðun Eli Jacobsen
    ------------------------------


  • 2.  RE: TLS CipherSuites supported in Aruba AP-505

    Posted 9 days ago
    I have not seen that configurable on either controller APs or Instant APs. As I don't see responses, please reach out to Aruba Support to ask this question. They can tell if it is possible, and optionally guide you through the required steps to open an enhancement request if needed.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: TLS CipherSuites supported in Aruba AP-505

    Posted 9 days ago
    Thanks,

    I will contact aruba support.

    Eyðun

    ------------------------------
    Eyðun Eli Jacobsen
    ------------------------------