Controllerless Networks

Reply
Contributor I

ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

With the recently emailed advisory regarding securelogin.arubanetworks.com, if the IAP Guest WLAN is only configured for INTERNAL – ACKNOWLEDGED, do I need to be concerned about this/will the revoked certificate cause an issue for guests using this configuration?

 

Thank you.

Guru Elite

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

Yes.  If the guest browser is configured to detect a revoked certificate, it might not let the user connect.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Contributor I

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

Thanks for the prompt reply Colin.  If this is indeed the case, what’s the best way to resolve this as I see no reason to have an SSL certificate if I’m not securing anything.

New Contributor

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

If you haved a captive portal, then you are securing the connection between the client web browser are the portal.  This needs to be encrypted,  you can use a self-signed certificate but this may still cause tehe browser to throw up an error as it would be untrusted by the browser.

Contributor I

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

I see—shame considering SSL is really not required here.  Does my certificate need to be for securelogin.example.com or will any host work?  If the former, is there a way to change this?  There is little documentation here, at least as it specifically relates to IAP, and this covers http://community.arubanetworks.com/t5/Wireless-Access/Certificate-quot-securelogin-arubanetworks-com-quot/td-p/239148 as well.  Also, do I need to reboot everything or will this Just Work once the new certificate is uploaded?  Thank you.

Guru Elite

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

We just posted a few FAQs:
https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor I

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

Thanks for the prompt reply Tim.  While this covers why a certificate is needed, it doesn’t mention Subject Names or if a reboot is required for the change to be effective.  I imagine Aruba has a major head ache on their hands for anyone that uses the built-in captive portal for Guest WLANs.

Guru Elite

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

The common name can be anything. I'd recommend it be somewhat user friendly. Something like "network-login.domain.xyz". A public certificate is highly recommended for captive portal.

A reboot is not required.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

Hi cappalli!

I assume that an A recond in DNS should be created for "network-login.domain.xyz", am I right? To which ip address it should be pointing?

Is it possible to use wildcard cert?

Guru Elite

Re: ArubaOS/IAP Default Certificate Revocation and INTERNAL – ACKNOWLEDGED Guest WLAN

No. No DNS record is required. Wildcard certs can be used on Instant 4.3 and greater.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: