Wireless Access

Reply
Highlighted
Frequent Contributor II

Adding new MDs to VMM - factory cert

Hello,

We have an AOS 8 environment consisting of VMM, and pair of 7005 MDs. Originally, we added local controllers during initial config using IPSec Key, and all worked OK. As we are using this setup for our RAP estate we have externally facing interface on both 7005s. One of the requirements from pen-testing was to disable aggressive mode (crypto-local isakmp disable-aggressive-mode), and that lead to warning:

 

Warning: Disabling Aggressive Mode will impact othersessions which use aggressive mode

like Master-Local IKE session with PSK. Change those sessions to Cert-based

 

We than tried to change discovery method to use factory certificate, but once we did that both controllers started showing as Down on MM.

 

I suppose that first question is if we can use cert-based controller discovery on Virtual MM, and if the answer is yes second question will be why did our approach fail? Thanks. 

Regards,
NesaM --ACMP, ACCP, ACDP, CWNA--

Accepted Solutions
Highlighted

Re: Adding new MDs to VMM - factory cert

Hi NesaM,

 

Doing Certificate based IPSec is possible. To answer your first question. 

 

The reason why it might fail is trust. The HW based controllers like the 7005's will use their TPM based certificate. But the VMM does not have a TPM chip nor a TPM based certificate. And here is the mismatch. I described the different options here:

 

https://www.flomain.de/2017/12/arubaos-8-controller-deployment/

 

It might be helpful. 

 

BR

Florian


visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de

View solution in original post

Re: Adding new MDs to VMM - factory cert

Great blog Florian. Note you can also use the self-signed cert on the MM as the CA cert, and if hardware MD they can use the factory cert.

 

crypto pki export ca-cert pem self-signed

 

This will print out the cert in pem format. Copy to a file. In this example I have called it sc-root-ca.

At the folder level import this cert as a TrustedCA.

Go to the device level in cli and apply the following masterip config.

 

masterip <master-ip> ipsec-custom-cert master-mac-1-c <MM-ma> ca-cert sc-root-ca server-cert factory-cert interface vlan <controller-vlan>

 

On MM level you need to add the node.

 

local-custom-cert local-mac <MD-mac> ca-cert factory-ca-cert server-cert self-signed-field-cert


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294

View solution in original post


All Replies
Highlighted

Re: Adding new MDs to VMM - factory cert

Hi NesaM,

 

Doing Certificate based IPSec is possible. To answer your first question. 

 

The reason why it might fail is trust. The HW based controllers like the 7005's will use their TPM based certificate. But the VMM does not have a TPM chip nor a TPM based certificate. And here is the mismatch. I described the different options here:

 

https://www.flomain.de/2017/12/arubaos-8-controller-deployment/

 

It might be helpful. 

 

BR

Florian


visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de

View solution in original post

Highlighted
Frequent Contributor II

Re: Adding new MDs to VMM - factory cert

Hi Florian,

Thanks on your reply. I will have a look at your blog and let you know if any of offered solutions worked for us. Much appreciated. 

Regards,
NesaM --ACMP, ACCP, ACDP, CWNA--
Highlighted
Frequent Contributor II

Re: Adding new MDs to VMM - factory cert

Great post Florian, thanks. We will use it in future. As it stands we will have to change our VMs for HW appliances.

Regards,
NesaM --ACMP, ACCP, ACDP, CWNA--
Highlighted

Re: Adding new MDs to VMM - factory cert

Hi NesaM,

 

By using Activate you don't have to. While using activate for MM discovery the MD will also download the self-signed CA from Activate to trust the certificate from the VMM. 

 

BR

Florian


visit our Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ/featured
Please visit my personal blog as well:
https://www.flomain.de

Re: Adding new MDs to VMM - factory cert

Great blog Florian. Note you can also use the self-signed cert on the MM as the CA cert, and if hardware MD they can use the factory cert.

 

crypto pki export ca-cert pem self-signed

 

This will print out the cert in pem format. Copy to a file. In this example I have called it sc-root-ca.

At the folder level import this cert as a TrustedCA.

Go to the device level in cli and apply the following masterip config.

 

masterip <master-ip> ipsec-custom-cert master-mac-1-c <MM-ma> ca-cert sc-root-ca server-cert factory-cert interface vlan <controller-vlan>

 

On MM level you need to add the node.

 

local-custom-cert local-mac <MD-mac> ca-cert factory-ca-cert server-cert self-signed-field-cert


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: