Frequently Asked Questions for Aruba Support Advisory ARUBA-SA-20160908-01
Certificates are used to validate the identity of a remote user or service like a web site. If you purchase something on eBay for example, there is a certificate in the browser to ensure that you are not giving a rogue entity your credit card number and that the communication between you and the site is encrypted so that nobody can intercept what you are typing. The controller, MAS and Instant APs have built-in default certificates installed to serve as a placeholder for a permanent certificate, to ensure that you can get up and running quickly when you connect to the management interface, authenticate using 802.1X with termination and authenticate guests using captive portal. Unfortunately, the same default certificate registered to Aruba Networks is installed on each platform at the factory. The only way to ensure integrity is to replace those certificates with your own public or private certificate so that your users and their devices know that your organization, and NOT a random entity, is processing or can snoop on your authentication.
Aruba's user guides urge replacement of the management and Captive Portal certificates to ensure security: http://www.arubanetworks.com/techdocs/ArubaOS_65x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/Managing_Certificates.htm
Certificates are used for four different functions:
YES (version 4.3+)
NO (prior to 4.3)
NO4
1 – While a self-signed or private certificate can be used for captive portal, it is not recommended as guests will not have the certificate and/or root CA installed and will receive a certificate error.
2 – When using EAP-Termination with a self-signed certificate, the cert will need to be installed on each client device in order to secure the connection.
3 – When using EAP-Termination with a privately signed certificate, the private root CA will need to be installed on each client device in order to secure the connection.
4 – Wildcard certificates will be rejected by many client devices when used as a RADIUS server certificate.
cat {private-key-file} > {new-combined-certname}.pemcat {public-cert-file} >> {new-combined-certname}.pemcat {intermediate-root-ca-file} >> {new-combined-certname}.pem
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.