Cannot login to the GUI of the controller - Error : X509 Certificate is needed to access this system

MVP
MVP
Problem:

 

When logging in to the controller WebUI, below error is displayed on the browser

"X509 Certificate is needed to access this system"

 



Diagnostics:

 

One of the reason for this error is when "Management user's WebUI access method is mapped " under Web Server profile is mapped to Certificate and when there are no Management users added to use Certificate.

 

This can be confirmed using below command.

(Aruba-7200) [mynode] (Web Server Configuration) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 Aruba_cert_new
Captive Portal Certificate                         default
IDP Certificate                                    default
Management user's WebUI access method              certificate
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            true
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false
VIA client-cert port number                        8085

(Aruba-7200) [mynode] #show mgmt-user webui-cacert

Management WebUI Certificate User Table
---------------------------------------
CA-CERT  SERIAL                                   USER   ROLE   STATUS   Max-concurrent-sessions  PATH
-------  ------                                   ----   ----   ------   -----------------------  ----
                    <--- No Users are configured here



Solution

 

There are 2 solutions outlined below based on the requirement.

 

Solution 1: 

If you wish to use certificate based authentication, below command can be used to add the management user with certificate information.

 

configure terminal

mgmt-user webui-cacert <name of the RootCA Certificate> serial <Serial number of the client certificate> <username> <management role>

Example:

mgmt-user webui-cacert Aruba_cert_new_CA serial 1d0000000e4945783710f44bb700010000000e labuser1 root

 

To Validate:

 

(Aruba-7200) [mynode] (Web Server Configuration) #show web-server  profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 Aruba_cert_new​
Captive Portal Certificate                         default
IDP Certificate                                    default
Management user's WebUI access method              certificate
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            true
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false
VIA client-cert port number                        8085

(Aruba-7200) [mynode] (Web Server Configuration) #show mgmt-user webui-cacert

Management WebUI Certificate User Table
---------------------------------------
CA-CERT  SERIAL                                   USER   ROLE   STATUS   Max-concurrent-sessions  PATH
-------  ------                                   ----   ----   ------   -----------------------  ----
Aruba_cert_new_CA       1D0000000E4945783710F44BB700010000000E   labuser1   root   ACTIVE   N/A                      /

Solution 2:  

If you would like to keep management authentication with just username and password, below commands can be used to avoid this error

 

configure terminal
web-server profile mgmt-auth username/password

To validate

(Aruba-7200) [mynode] (Web Server Configuration) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 Aruba_cert_new
Captive Portal Certificate                         default
IDP Certificate                                    default
Management user's WebUI access method              username/password
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            true
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false
VIA client-cert port number                        8085

This will get rid of the error and will let you login using username and password

Version history
Revision #:
2 of 2
Last update:
4 weeks ago
Updated by:
 
Labels (1)
Contributors