Certificate-based Security for IAP/AMP Communication

Aruba Employee
Aruba Employee
The existing security model for IAP/AMP communication is based on a pre-shared secret; it can be considered weak by managed service providers
Configuration Steps :
About Airwave server/backup server, ip address or domain name are supported now

User-added image
* IAP support the same certificate-based mutual authentication scheme as that for Activate/Aruba Central communication
* Requires the AMP to support uploading a custom certificate to be uploaded through its UI
* IAP will use certificate-based authentication if no pre-shared secret is set in its AMP configuration
* The AMP certificate must be signed by Komodo, Geotrust, or Google Public Internet Authority
* IAP must be configured with the AMP Server’s certified domain name
Commands to verify
AMP status: show ap debug airwave
d8:c7:c8:c4:57:38# show ap debug airwave
Airwave Server List
Domain/IP Address  Type     Mode     Status
-----------------  ----     ----     ------       Primary  Monitor  Login-done
awc logs
show log ap-debug

User-added image


Version history
Revision #:
1 of 1
Last update:
‎07-05-2014 06:09 PM
Updated by:
Labels (1)



Thanks for this, it's really interesting but I still have a question: is it necessary that the certificate has the same name as the server ? (FQDN)

Thanks !


(sorry for my english)

Search Airheads
Showing results for 
Search instead for 
Did you mean: