Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

2048 bits cert for guest access on arubaos 5.x?

This thread has been viewed 1 times

  • 1.  2048 bits cert for guest access on arubaos 5.x?

    Posted Oct 19, 2013 02:28 PM

    looking a the recent advisory about the expiration of the built in certificate im wondering about older aruba controllers (i.e. 800, 2400) which cant run 6.x. they can't use more then 1024 bits certificates for the Administrative WebUI (and EAP termination), but what about the guest portal, can they use the 2048 bits certificates there?

     

    if so, would it be possible to export the publicly signed CA certificate from a recent 6.x arubaos controller and use it just for guest access.



  • 2.  RE: 2048 bits cert for guest access on arubaos 5.x?

    EMPLOYEE
    Posted Oct 19, 2013 09:36 PM
    @boneyard wrote:

    looking a the recent advisory about the expiration of the built in certificate im wondering about older aruba controllers (i.e. 800, 2400) which cant run 6.x. they can't use more then 1024 bits certificates for the Administrative WebUI (and EAP termination), but what about the guest portal, can they use the 2048 bits certificates there?

     

    if so, would it be possible to export the publicly signed CA certificate from a recent 6.x arubaos controller and use it just for guest access.

    5.x cannot use 2048 bit certificates, unfortunately.

     

    The certificate that is needed is the server certificate and the private key.  The built in server certificate and the private key cannot be exported from 6.x, unfortunately.



  • 3.  RE: 2048 bits cert for guest access on arubaos 5.x?

    Posted Oct 20, 2013 03:46 AM

    is that "cannot use 2048 bits certificates" period? because in a thread like this it seems you can "use" 2048 bits certificates for guest access in 3.x already:

    http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/Aruba6000-Version-3-4-5-1-Switched-form-1024-to-2048-bit-cert/td-p/86138

     

    with nothing mentioned about it not working in 5.x.. The pdf explaining the issue only clearly mentions "ArubaOS 5.x accepts only 1024 - bit Server Certificate for Administrative WebUI." so nothing on either EAP or guest access. i can understand this might be the same for the others, but it doesn't become really clear.

     

    the export part is clear, thanks cjoseph. i assume requesting a certificate for securelogin.arubanetworks.com isn't going to be allowed if you dont own the domain. so if we would request securelogin.owndomain.com is it just  a matter of changing the guest access cert to make this work right?



  • 4.  RE: 2048 bits cert for guest access on arubaos 5.x?

    EMPLOYEE
    Posted Oct 20, 2013 04:05 AM

    "If you are running any release prior to 6.1, you may use a certificate with a 2048-bit or 4096-bit key only for captive portal and WebUI. 802.1X EAP termination supports only 1024-bit keys. For WebUI or captive portal, performance is the greatest with smaller key sizes, but security is slightly reduced. "  -  This is the latest from the Support Advisory.  Things can change over time, so it is best to look at the last official set of information for the correct details.

     

    You would request a certificate for whatever domain you want, correct (yours is preferable).

     



  • 5.  RE: 2048 bits cert for guest access on arubaos 5.x?

    Posted Oct 20, 2013 05:26 AM

    sorry but im even more confused now, can or can't i use a 2048 bits certificate for captive portal with version 5.x (to be really specific 5.0.4.13)?

     

    the line you quote says you should be able to for captive portal and webui, while the line i quoted from the same document says you cant use 2048 bits for webui (but mentions nothing about about captive portal).

     

    in my opinion it would be worth for aruba to clarify this in a updated advisory with simple table or such. so per use: webui, captive portal, eap termination and the certificate key size.



  • 6.  RE: 2048 bits cert for guest access on arubaos 5.x?

    EMPLOYEE
    Posted Oct 20, 2013 05:36 AM

    We will get someone to clarify. 

     

    Thank you for pointing that out.

     



  • 7.  RE: 2048 bits cert for guest access on arubaos 5.x?
    Best Answer

    EMPLOYEE
    Posted Oct 20, 2013 10:17 AM
    @boneyard wrote:

    sorry but im even more confused now, can or can't i use a 2048 bits certificate for captive portal with version 5.x (to be really specific 5.0.4.13)?

     

    the line you quote says you should be able to for captive portal and webui, while the line i quoted from the same document says you cant use 2048 bits for webui (but mentions nothing about about captive portal).

     

    in my opinion it would be worth for aruba to clarify this in a updated advisory with simple table or such. so per use: webui, captive portal, eap termination and the certificate key size.

    Boneyard,

     

    The advisory has been updated to clarify.  You can use A 2048 bit certificate for both Captive Portal and WebUI on 5.x.  You just cannot use a 2048 bit for EAP Termination.

     

     http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=12213

     

     

    "If you are running any release prior to 6.1, you may use a certificate with a 2048-bit or 4096-bit key only for captive portal and WebUI.   802.1X EAP termination only supports only 1024-bit keys".

     

    Thank you for your patience.



  • 8.  RE: 2048 bits cert for guest access on arubaos 5.x?

    Posted Oct 20, 2013 02:07 PM

    thanks for getting that clarified cjoseph.

     

    would it then be possible to also add the 2048 bits certificate to a new 5.x release so customers still can use an Aruba provided publicly CA signed certificate?



  • 9.  RE: 2048 bits cert for guest access on arubaos 5.x?

    EMPLOYEE
    Posted Oct 20, 2013 02:17 PM
    @boneyard wrote:

    thanks for getting that clarified cjoseph.

     

    would it then be possible to also add the 2048 bits certificate to a new 5.x release so customers still can use an Aruba provided publicly CA signed certificate?

    Boneyard,

      

     

    Aruba has for years recommended replacing all certificates with your own cert and not using the built-in ones.  The new 2048 bit built-in certificate for the Administration WebUI and Captive Portal will be self-signed to reflect the fact that it is a security best practice to replace it.

     



  • 10.  RE: 2048 bits cert for guest access on arubaos 5.x?

    Posted Oct 21, 2013 04:00 AM

    Totally understandable, still for the 6.x version it seems (mentioned in the advisory) a new certificate signed by a public CA is provided. But for the 5.x version this doesn't happen, while we now have determined it can be used. So why the difference?



  • 11.  RE: 2048 bits cert for guest access on arubaos 5.x?

    EMPLOYEE
    Posted Oct 21, 2013 06:00 AM
    @boneyard wrote:

    Totally understandable, still for the 6.x version it seems (mentioned in the advisory) a new certificate signed by a public CA is provided. But for the 5.x version this doesn't happen, while we now have determined it can be used. So why the difference?

    If I had to guess, I would say it is because ArubaOS 5.x  (1) is end of sale (2) Users should be using the most secure option, which is replacing it with their own certificate or one signed by a public CA.



  • 12.  RE: 2048 bits cert for guest access on arubaos 5.x?

    Posted Oct 21, 2013 03:02 PM

    fair point, though 5.x is still in development till 2015 and supported till 2016 according to the official info. 6.x gets a new certificate, so security is less important there?

     

    ah well, not going to get this resolved further im afraid, thank you for the quick update on the advisory cjospeh.



  • 13.  RE: 2048 bits cert for guest access on arubaos 5.x?

    EMPLOYEE
    Posted Oct 21, 2013 03:16 PM
    @boneyard wrote:

    Totally understandable, still for the 6.x version it seems (mentioned in the advisory) a new certificate signed by a public CA is provided. But for the 5.x version this doesn't happen, while we now have determined it can be used. So why the difference?

    Boneyard,

     

    For every installation, if you keep the same factory certificate, it is the same on EVERY installation, so that is not secure.  Aruba was just doing a favor by making it a public certificate, but it is exactly the same, so it is no more secure than the exact same self-signed certificate.