Controllerless Networks

Howdy,

we are running 25 IAP 103 here and we manage them with Aruba Instant.

I created a Certificate for Instant and loaded it up als Certificate for Webiinterface with success. Instant is right now using this certificate.

However the webinterface then redirects me to the virtual controller which is on one of the iaps (Which changes form time to time). Then I get a certificate error because the certificate used by instant matches the ip of the default contoller but naturally not the ip of the current virtual one.

I then created annother certiicate for that specific one and tried to "upload" it by url. It did get the certificate but then gave me an unknown error. Unfortuneltely the gui  does not state which format etc it wants. It just reades "cert" 

So how does a correct certificate (bundle) for the iap look like?

What do you mean by default controller? Do you have a screenshot of the error you are seeing? The InstantOS supports the following certificate formats:

Authentication server (PEM format).
Captive portal server (PEM format)—Customized certificate for internal  captive portal server.
CA certificate (PEM or DER format).
RadSec certificate (PEM or DER format).
WebUI certificate (PEM format).

The IAP database can have only one authentication server certificate and one captive portal server certificate at any point in time. When a Captive Portal server certificate is uploaded using the Instant UI, the default management certificate on the UI is also replaced by the Captive portal server certificate.

Have you tried chaining the certificates as per below (note the guide covers the Captive Portal cert).

https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025

thx for your reply

what I mean is: my iaps are in one subnet (xx.yy.zz.180-205)-

There is one IP xx.yy.zz.183 that I use to acess the Aruba Instant Webinterface. 

What I did is I uploaded a Certificate-Chain (X509 containing private key + cert + ca) in the webinterface als certificate for webinterface.

When I now access xx.yy.zz.183 it uses this certificate which is fine.

Now xx.yy.zz.183 just redirects me to the iap where the virtual controller is currently running on (can be any of the 25 ones. Webinterface marks it with a * in the IAP List ).. 

It then still uses that same certificate for https but the IP  changed to that of the IAP the vc runs on.

SInce this is not a wildcard certificatethis has to produce some security whoes. So Instant would need to use annother certificate for this that is vaild for the ip address.

And that is where I am just stuck...

Can you use a common name to access the VC or change the cert to be of the VC IP address? Just to confirm you need to upload the cert via the VC. The re-direct occurs as you should normally access the GUI via the VC IP address.

If you want to make life easier why don't you use an internal DNS record such as https://securelogin.comanyname.com/, use this as your CN and upload a cert for this?

the cert has the vc ip as common name and - due to the latest google chrome limitations btw rfc- also as san.

xx.yy.zz.183 is the VC IP. Atm it redirects me to xx.yy.zz.205 then but the certificate still is for .183 .

1. There is no way in Instant to upload separate WebUI and captive portal certificates. We have informed engineering on this shortcoming & will be planned for future releases.

2. Instant today does not support addressing web UI through customer’s own domain name; we only support using the instant.arubanetworks.com which uses a private Root CA.  Since no one can apply for their own public cert with CN instant.arubanetworks.com some kind of cert error will be there.

Query: Private IP addresses are not allowed in publicly issued certificates. So how are you uploading a certificate, with CN as an IP and not a common name?

1. why is this thread in Controllerless Networks? That's completely the wrong forum and I cannot remember that I posted that here?!

We do not have a controllerless network at all. We run 25 iaps managed by Aruba Instant.

2. I wouldn't mind Instant and captive portal using the same cert if it works. In fact i don't think it does.

3. There IS such option in instant webinterface. You can up a cert for instant and you can up a cert for captive portal. If this really is not supported why then is this there?

4. I do not use FQDNs here at all (execpt captive portal does). I access instant via management IP. This is one central ip which always knows where the vc is on and forwards to that iap's ip. That is why the iap needs a cert itself (or we would need a wildcard even). 

5. We only use internal ips not public ones and generate die certificates using our own internal ca since this is not intended for public access at all.

6. Anyhows since one RFC the Common Name is no more state of the art and is already no longer evaluated in several browsers due to that (like Chrome and Chromium). This RFC requires the use of subject alternate name (SAN) in your certs to make them valid for those.

You could also configure that Instant AP as the "Preferred Master" so that the VC does not change periodically and it would match with the IP in the certificate

Kevin

Thx Kevin. Preferred Master did the trick :)

Great! I am glad to read that

/Kevin