Issued October 10, 2013
SUMMARY
The default "Server Certificate" in older ArubaOS releases installed on your Mobility
Controllers and Mobility Access Switches will expire on November 21, 2013.
While this default certificate was never intended for production use, Aruba is aware that a
number of our customers are using this certificate in the production networks typically for
Administrative WebUI and securing the Captive Portal login screen in guest networks.
On Mobility Controllers running ArubaOS_6.1.3.8 or ArubaOS_5.0.4.12 and earlier, and
Mobility Access Switches running ArubaOS_MAS_7.2.3.0 and earlier, customers using the
default Server Certificate should expect to experience following issues when the default
certificate expires on 11/21/2013.
Users connecting to Captive Portal or Controller’s WebUI will receive a browser warning
showing that the server certificate has expired.
Workaround: Users may bypass the warning (with varying degrees of difficulty
depending on the browser) and continue on to use the system normally.
If EAP termination has been enabled for 802.1X, and the default certificate is being
used as the server certificate, many client operating systems will refuse to continue
the authentication process. This will result in an apparent network outage for these
users. Client operating systems may or may not display a warning message to the
user.
Workaround: Disable EAP termination on the controller or switch and let the clients
complete EAP exchanges directly with the authenticator (RADIUS server) as long as
the RADIUS Server has a Server Certificate installed whose Root/Issuing Certificate
Authority is trusted by the clients.
SOLUTION
Aruba Networks recommends the following two options, in order of preference, to replace
the default certificate installed on the controllers.
Option 1: Replace the default certificate with a certificate issued by an internal
certificate authority or a public certificate authority. *This option provides the greatest
security*.
Option 2: Upgrade ArubaOS software
o On Mobility Controllers running :
6.1.3.8 and earlier – upgrade to ArubaOS 6.1.3.9 or later
5.0.4.12 and earlier – upgrade to ArubaOS 5.0.4.13 or later
o On Mobility Access Switches running –
7.2.3.0 and earlier – upgrade to ArubaOS 7.2.3.1 (available Oct 30, 2013)
This option however, does not provide good security because all Aruba controllers
have the same certificate and impersonation attacks are possible.
More information available in the attached document.