Frequently Asked Questions for Aruba Support Advisory ARUBA-SA-20160908-01

HIGH LEVEL OVERVIEW

Certificates are used to validate the identity of a remote user or service like a web site. If you purchase something on eBay for example, there is a certificate in the browser to ensure that you are not giving a rogue entity your credit card number and that the communication between you and the site is encrypted so that nobody can intercept what you are typing.  The controller, MAS and Instant APs have built-in default certificates installed to serve as a placeholder for a permanent certificate, to ensure that you can get up and running quickly when you connect to the management interface, authenticate using 802.1X with termination and authenticate guests using captive portal.  Unfortunately, the same default certificate registered to Aruba Networks is installed on each platform at the factory.   The only way to ensure integrity is to replace those certificates with your own public or private certificate so that your users and their devices know that your organization, and NOT a random entity, is processing or can snoop on your authentication. 

Aruba's user guides urge replacement of the management and Captive Portal certificates to ensure security: http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/Managing_Certificates.htm

FREQUENTLY ASKED QUESTIONS

What prompted this announcement?

• GeoTrust (the signer and issuer of the Aruba default certificate) revoked the certificate on 9/8/16, due to the private key being compromised.  For controllers, Instant APs and Mobility Access Switches where the default certificate was not replaced, the user's browser either (1) rejected the connection (2) or sent back a mysterious message that the certificate was expired or revoked; this confused users and in some cases browsers refused to display the page.  ArubaOS 8 forces the user to generate a self-signed certificate to sidestep this issue, but ArubaOS 6.5 and below still has a shared default certificate that needs to be replaced by the administrator for Captive Portal, Management Administration and 802.1X termination, if it is being used.

GENERAL CERTIFICATE QUESTIONS

What is a certificate?

• A certificate is essentially a digital ID card used by individuals, businesses and even devices to identify themselves to others and facilitate things like data encryption between two devices.
  More on certificates
  More on certificates >> https://en.wikipedia.org/wiki/Public_key_infrastructure

Who uses certificates?

• Nearly every organization uses digital certificates in some way. The most basic and pervasive use is on the internet to identify the owner of a website and provide data encryption. This is critical when entering sensitive information like credit card numbers and identification numbers or downloading files to your device. The certificate on the web site allows you to verify who you are giving your information to and also provides a framework to ensure that the data is encrypted (scrambled) before it goes out over the internet.
  
• You may also use a certificate to prove your identity to a company to access your secured data. An example would be a bank login where you use a digital certificate instead of your password or a certain resource at work which require higher assurance of who you are.
  

What is the difference between a public, private and self-signed certificate?

• A public certificate is signed by a public certificate authority after domain, personal identity or business verification. These certificate authorities are pre-installed on most client operating systems like Windows, Mac OS X, Android and iOS. The public CAs follow a strict process when issuing certificates which creates a network of trust between the CA, the operating system vendors (who decide to allow their trust to be added to the OS) and ultimately down to the user.
  More on public certificates >> https://en.wikipedia.org/wiki/Public_key_certificate
• A private certificate is signed by an internal or private CA that is run by an organization. The Root CA is not trusted by default by client devices and needs to be pushed out to clients via a management tool or manually installed in order for devices to show certificates from this CA as valid.
• Self-signed certificate: this certificate is generally generated by the local machine/device itself and has no relation to any other certs. It is signed by itself.
  More >> https://en.wikipedia.org/wiki/Self-signed_certificate

What is a CSR?

• A CSR is a certificate signing request. This is an unsigned copy of the public key, generated by an application or operating system in conjunction with a private key and contains information about your organization and also the common name and any subject alternative names that are being requested. This unsigned public key is provided to the certificate authority to validate and sign. The result is a signed public key that can be used with your application/service in combination with the private key.
  More >> https://en.wikipedia.org/wiki/Certificate_signing_request

What does it mean when a certificate is revoked?

• A certificate can be revoked by the owner of the certificate or the certificate authority that issued it. This can be done for many reasons like a service being decommissioned or the security of the certificate being compromised.

How does a browser/device know when a certificate is revoked?

• A browser or operating system can check with a certificate authority using the Online Certificate Status Protocol (OCSP) in real-time or download a Certificate Revocation List (CRL) which can be save on the device. Both of these services are provided by the CA.
  More on OCSP >> https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol
  More on CRL >> https://en.wikipedia.org/wiki/Revocation_list
  

Who is GeoTrust and how are they related?

• GeoTrust is a popular public certificate authority used by many companies. They are responsible for verifying the identity of a user, domain, email address and/or company to allow for a trust relation between the end user or device and a company or other user.
  More about certificate authorities >> https://en.wikipedia.org/wiki/Certificate_authority
  More about GeoTrust >> geotrust.com

Where can I learn more about certificates?

• “Understanding Digital Certificates” >> https://technet.microsoft.com/en-us/library/bb123848(v=exchg.65).aspx
• “Introduction to Public Key Infrastructure (PKI)” >> http://www.tomsitpro.com/articles/public-key-infrastructure-introduction,2-884.html

QUESTIONS ABOUT THIS ADVISORY

Which Aruba products are effected?

• Aruba Mobility Controllers, Instant Access Points (IAP) and Mobility Access Switches (MAS).

Why was a public certificate included in the first place?

• In early versions of ArubaOS, a certificate was not included. This resulted in many users having issues getting captive portal working. A publicly-signed default cert was added to ArubaOS to give a working solution out of the box and also provide an example of what was required, a template of sorts. It was also very useful when evaluating Aruba products prior to purchase.

Why is a certificate needed on an Aruba controller/IAP/MAS?

Certificates are used for four different functions:

1. Web UI security >> The web UI used for management uses a certificate to identify the controller to admin users and is also used to encrypt credentials, keystrokes and other traffic between the browser and the controller/IAP/MAS.
2. Captive Portal redirection >> In order to redirect users that are visiting an https page, we need a certificate on the controller to intercept the https connection and redirect it to the controller’s web server or an external captive portal.
3. Captive Portal login >> In most deployments, a user enters their credentials into the captive portal displayed in their browser and then clicks submit or log in. The browser submits the credentials to a special URL on the controller and the controller then checks these credentials via the local database or a RADIUS server. Because these credentials are sent from the client device to the controller, we need a certificate to encrypt the credentials in transit and provide assurance that the controller is valid.
4. EAP-Termination (optional) >> While a RADIUS server is recommended, in some deployments, the controller may serve as the EAP termination point for things like EAP-PEAP, EAP-TLS and other EAP methods. These require a server side certificate on the controller for the client to validate.
   
   

Do I need to use the same certificate for each service?

• No. Web UI, captive portal and EAP-Termination can all use different certificates and different certificate types (self-signed vs private vs public).

Why was the certificate revoked?

• Because the securelogin.arubanetworks.com certificate was included with each controller, IAP and MAS, it was a part of the software image and the certificate key pair was recently extracted out and compromised. GeoTrust then revoked the certificate, following certificate authority policies around compromised keys.

Can I use the same captive portal and/or EAP-termination certificate across multiple controllers?

• The technical answer is yes, but you should consult your security team first.
• If you choose to use the same certificate, use an external server to generate the CSR (openssl on Linux/Windows/Mac OS X/Linux or IIS on Windows for example). If you generate the CSR on the controller, you will not be able to export the key pair for import to another device.

WHAT COMMON NAME SHOULD BE USED IF THE CAPTIVE PORTAL CERTIFICATE WILL BE USED ON MULTIPLE DEVICES?

• The common name can be anything you want (it does not actually have to resolve to a host), but we recommend it be a user-friendly name off your domain as it is briefly displayed on an end-user's device during authentication. An example would be: network-login.yourdomain.xyz. Do not use arubanetworks.com.

Were any other certificates in the products compromised?

• Aruba controllers, IAPs and MAS also include a unique factory certificate that is generated during manufacturing. This certificate is issued by a private CA used for trust between Aruba devices for services like Control Plane Security (CPSec) and Aruba Activate. This certificate is unique to the hardware and the private key is stored securely in a hardware trusted platform module (TPM) and remains valid and secure.

ARUBA INSTANT

What INSTANT AP services use this certificate by default?

• Captive Portal (splash page for guests)
• EAP-Termination (used in some situations where a RADIUS server is not available)
• Note that Instant uses a unique, self-signed certificate for management UI access (instant.arubanetworks.com) and is not affected by this revocation.

How can I fix this on my Aruba instant aps?

• A custom certificate needs to be acquired and installed on the IAP VC.
• Choosing a certificate:
  

  	CAPTIVE PORTAL	EAP-TERMINATION
  Self-signed	YES1 (but not recommended, see below)	YES2
  Privately-signed	YES1 (but not recommended, see below)	YES3
  Public: standard domain cert	YES	YES
  Public: wildcard cert	YES (version 4.3+) NO (prior to 4.3)	NO4

  1 – While a self-signed or private certificate can be used for captive portal, it is not recommended as guests will not have the certificate and/or root CA installed and will receive a certificate error.

  2 – When using EAP-Termination with a self-signed certificate, the cert will need to be installed on each client device in order to secure the connection.

  3 – When using EAP-Termination with a privately signed certificate, the private root CA will need to be installed on each client device in order to secure the connection.

  4 – Wildcard certificates will be rejected by many client devices when used as a RADIUS server certificate.

• Installing the certificate: 
  http://www.arubanetworks.com/techdocs/Instant_423_WebHelp/InstantWebHelp.htm#UG_files/Authentication/Certificates.htm#authentication_586225611_1051249 

HOW DO I COMBINE THE PUBLIC KEY FROM MY CA WITH THE INTERMEDIATE, ROOT AND MY PRIVATE KEY USING OPENSSL?

• The "Apache" certificate package from your CA should contain two certificate files: one with just your public signed cert and the second should contain the intermediate(s) and root certificates. Extract those and drop them in the directory where your private key was generated.
• Open up a shell window (cmd, terminal, bash), change your directory to the location of the certificate files and run the following commanda, replacing the values between the curley braces:
  

  cat {private-key-file} > {new-combined-certname}.pem
  cat {public-cert-file} >> {new-combined-certname}.pem
  cat {intermediate-root-ca-file} >> {new-combined-certname}.pem
  

  Note that this new .pem file is NOT encrypted and should be stored securely.
• Now that you have your combined PEM file, navigate to Maintenance > Certificates and click Upload New Certificate. Browse to find the new combined .pem file, select which service you're using the cert for, select PEM as the format and then click Upload Certificate.

ARUBA CLEARPASS

Is ClearPass affected by this?

• ClearPass is not directly affected by this advisory but a few configuration tweaks need to be made when the controller/IAP/MAS captive portal certificate is changed.

What changes need to be made in ClearPass?

• As explained earlier, a client submits their credentials to the IAP when performing captive portal authentication. There is a setting in the ClearPass web login and self-registration configuration that tells the web page (served up by ClearPass) where the client needs to submit their credentials. This setting needs to match some properties in the custom certificate uploaded to the IAP VC for captive portal use.
• Step-by-step instructions can be found here >> http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Weblogin-NAS-Address-configuration-options-in-multi-controller/ta-p/275426