This community is currently in a read-only state due to a maintenance window. For more info click here

Cannot login to the GUI of the controller - Error : X509 Certificate is needed to access this system

MVP
MVP
Problem:

 

When logging in to the controller WebUI, below error is displayed on the browser

"X509 Certificate is needed to access this system"

 



Diagnostics:

 

This error is displayed in below 2 scenarios

 

1. Management authentication is configured to authenticate only with Client Certificate and there are no Management users added to use Certificate.

 

This can be confirmed using below command.

(Aruba-7200) [mynode] #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 Aruba_cert_new
Captive Portal Certificate                         default
IDP Certificate                                    default
Management user's WebUI access method              certificate
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            true
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false
VIA client-cert port number                        8085

(Aruba-7200) [mynode] #show mgmt-user webui-cacert

Management WebUI Certificate User Table
---------------------------------------
CA-CERT  SERIAL                                   USER   ROLE   STATUS   Max-concurrent-sessions  PATH
-------  ------                                   ----   ----   ------   -----------------------  ----
                    <--- No Users are configured here

 

If a packet capture is done on the Client machine using Wireshark, we can see the controller sends a Certificate Request requesting for client certificates with Distinguished Name as default Root CA of the controller. Please see below screenshot.

 

 

2. Client does not have a valid certificate for authentication.

 

It is required the the certificate installed on the client has a private key and that it be preferably in PFX format. When the certificate is opened on a Windows PC  it should display it has a private key like below.

 

 



Solution

 

There are 2 solutions outlined below based on the requirement.

 

1. If you wish to use certificate based authentication, below command can be used to add the management user with certificate information.

 

(Aruba-7200) [mynode] #configure terminal

(Aruba-7200) [mynode] (config) #mgmt-user webui-cacert <name of the RootCA Certificate> serial <Serial number of the client certificate> <username> <management role>

 

For Example.

 

(Aruba-7200) [mynode] #configure terminal 
(Aruba-7200) [mynode] (config) #mgmt-user webui-cacert Aruba_cert_new_CA serial 1d0000000e4945783710f44bb700010000000e labuser1 root

 

To Validate - 

 

(Aruba-7200) [mynode] #show web-server  profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 Aruba_cert_new​
Captive Portal Certificate                         default
IDP Certificate                                    default
Management user's WebUI access method              certificate
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            true
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false
VIA client-cert port number                        8085

(Aruba-7200) [mynode] (Web Server Configuration) #show mgmt-user webui-cacert

Management WebUI Certificate User Table
---------------------------------------
CA-CERT  SERIAL                                   USER   ROLE   STATUS   Max-concurrent-sessions  PATH
-------  ------                                   ----   ----   ------   -----------------------  ----
Aruba_cert_new_CA       1D0000000E4945783710F44BB700010000000E   labuser1   root   ACTIVE   N/A                      /

 

After adding this command, the Certificate Request send by the Controller will look like in Screenshot with the correct DN.

 

 

2. If you would like to keep management authentication with just username and password, below commands can be used to enable login.

 

configure terminal
web-server profile mgmt-auth username/password

To validate - 

(Aruba-7200) [mynode] #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 Aruba_cert_new
Captive Portal Certificate                         default
IDP Certificate                                    default
Management user's WebUI access method              username/password
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            true
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false
VIA client-cert port number                        8085

This will get rid of the error and will let you login using username and password

Version history
Revision #:
2 of 2
Last update:
‎04-13-2020 07:52 AM
Updated by:
 
Labels (1)
Contributors