Requirement:IAP 4.1 and Later versions
AMP 8.0 and above versions
Solution:IAP latest version supports uploading customized captive portal server certificate in PEM or PKCS#12 format. The captive portal server certificates verifies internal captive portal server’s identity to the client.
Airwave Management server (AMP) can be used to manage IAP certificates like server certificate, captive portal server certificate.
The AMP performs basic certificate verification (such as certificate type, format, version, serial number and so on), before accepting the certificate and uploading to an IAP network. The AMP packages the text of the certificate into an HTTPS message and sends it to the Virtual Controller. After the VC receives this message, it draws the certificate content from the message, converts it to the right format, and saves it.
Configuration:Loading a certificate in Airwave.
- From Device Setup >> Certificates page, click ‘Add’ to upload a new certificate.
- From certificate upload, enter certificate name and choose certificate file.
- Enter the passphrase if any.
- Select appropriate format that matches the certificate file.
- Select the certificate type as ‘Captive Portal Cert’
Selecting the certificate for IAP.
Note: User **MUST** resolve configuration audit mismatches for the IAP VC before performing the activity below to avoid unexpected configuration push to IAP VC. Contact Aruba Support when need help in resolving mismatch for IAP.
- Navigate to the AMP Group in which IAP's are added.
- From Groups >> Basic page >> Aruba Instant section, select the new captive portal certificate uploaded to AMP.
- Click save and apply the push the certificate to IAP's.
Note: When using template based configuration management for IAP, ensure the template has the line "%captive_portal_cert_checksum%". This line forces AMP to audit and push captive portal certificate to VC.
Verification
AMP Log :
AMP /var/log/igc/igc.log file, shows AMP progress to push captive portal certificate to IAP.
igc.log file:
2016-09-09 16:07:26,134 INFO Group com.airwave.config.services.GroupService change type[update] for table[ap_group]
2016-09-09 16:07:26,135 INFO Message com.airwave.config.services.MessageService sending:
{"ap_id":14818,"command":"request_audit"}
2016-09-09 16:07:42,130 INFO Core[1] com.airwave.config.services.MessageService Received message with type: config
2016-09-09 16:07:42,191 INFO Message com.airwave.config.services.MessageService sending:
{"ap_id":"14818","command":"config_update","delta_config":"
cp-cert-checksum 951d876d3d48d9d00b9424d75cb099f3
"}
2016-09-09 16:07:42,508 INFO Message com.airwave.config.services.MessageService sending:
{"ap_id":14818,"command":"request_audit"}
2016-09-09 16:07:58,421 INFO Core[1] com.airwave.config.services.MessageService Received message with type: config
2016-09-09 16:07:58,460 INFO Message com.airwave.config.services.MessageService sending:
{"command":"audit_result_update","ap_id":14818,"audit_status":"Good"}
AMP debug:
To debug AMP swarm message, enable qlog debug for swarm_debug and decode the swarm debug file for topic commands. below are example messages from AMP to IAP showing cp certificate instal.
commands topic log file:
Fri Sep 9 16:07:42 2016 (1473462462.052058)
{
cmd => [
'config-audit
X-Interval: 4'
],
guid => 'ab9474ed01b3aecbb190ebadea59663faed56759c2c4f700d7'
}
Fri Sep 9 16:07:54 2016 (1473462474.303502)
{
cmd => [
'cert-install
X-Cert-Type: cp_cert
X-Cert-Format: pem_format
X-Cert-Psk: aruba123
X-Mark: more',
'-----BEGIN RSA PRIVATE KEY-----
IAP Command:
IAP cli command “show cpcert”, confirms the captive portal certificate in use.