Wireless Access

Issued October 10, 2013

 

SUMMARY
The default "Server Certificate" in older ArubaOS releases installed on your Mobility
Controllers and Mobility Access Switches will expire on November 21, 2013.
While this default certificate was never intended for production use, Aruba is aware that a
number of our customers are using this certificate in the production networks typically for
Administrative WebUI and securing the Captive Portal login screen in guest networks.
On Mobility Controllers running ArubaOS_6.1.3.8 or ArubaOS_5.0.4.12 and earlier, and
Mobility Access Switches running ArubaOS_MAS_7.2.3.0 and earlier, customers using the
default Server Certificate should expect to experience following issues when the default
certificate expires on 11/21/2013.

 

Users connecting to Captive Portal or Controller’s WebUI will receive a browser warning

showing that the server certificate has expired. 

Workaround: Users may bypass the warning (with varying degrees of difficulty
depending on the browser) and continue on to use the system normally.
If EAP termination has been enabled for 802.1X, and the default certificate is being
used as the server certificate, many client operating systems will refuse to continue
the authentication process. This will result in an apparent network outage for these
users. Client operating systems may or may not display a warning message to the
user.

Workaround: Disable EAP termination on the controller or switch and let the clients
complete EAP exchanges directly with the authenticator (RADIUS server) as long as
the RADIUS Server has a Server Certificate installed whose Root/Issuing Certificate
Authority is trusted by the clients.

 

SOLUTION

Aruba Networks recommends the following two options, in order of preference, to replace
the default certificate installed on the controllers.
 Option 1: Replace the default certificate with a certificate issued by an internal
certificate authority or a public certificate authority. *This option provides the greatest
security*.

 Option 2: Upgrade ArubaOS software

o On Mobility Controllers running :
 6.1.3.8 and earlier – upgrade to ArubaOS 6.1.3.9 or later
 5.0.4.12 and earlier – upgrade to ArubaOS 5.0.4.13 or later

o On Mobility Access Switches running –
 7.2.3.0 and earlier – upgrade to ArubaOS 7.2.3.1 (available Oct 30, 2013)

This option however, does not provide good security because all Aruba controllers
have the same certificate and impersonation attacks are possible.

 

More information available in the attached document. 

 

 

Thanks Sean.  Already send a mass emails to my clients.  We already scheduling upgrades for our clients with local support with us :)

 

Cheers

Carlos

Hi Sean,

 

I did 1 upgrade on a 200 controller without any issues. A customer of ours did an upgrade on 2 800's. On those the certificate wasn't replaced. Could it be that the certificate wasn't replaced in the 800 image for 5.0.4.13? 

 

Regads,

 

Remco

Actually i had the same issue but when i upgraded to 6.1.3.10...  the certificate never replaced... so i upgraded it to 6.2.1.4 and now i can see a new certificate which expire in 2017...

The bad thing is that you cannot upgrade it to 6.2.1.4

 

I advice you to open a support case

 

Cheers

Carlos

Nightshade? How did you know it was not replaced? How did you validate this?

Well you can see it by looking at the certificate here:

 

 

Thats my office controller which is on  6.2.1.4

 

Now lets see a controller which hasnt been upgraded to the proper firmware

 

 

 

 

You see that it expire on 11/21/2013 in there...

 

Now how did i get in there?

Go to the lock in the browser like this image

 

Click more information

 

And there you go...

 

You can do it on any browser... i used mozilla

 

Hope that helps

 

Cheers

Carlos

For some reason when i upgarded to 6.1.3.10 that was not changed... it keep saying that the certificate was expiring on 11/21/2013 so i just upgarded it to 6.2.1.4...

 

I saw on another controller which is on 6.1.3.9 which it DID changed it to  2017 which is okay...

 

Cheers

Carlos

Awesome thanks.

There was indeed a bug in 5.0.4.13 where it did not replace the certificate on the 800 platform. 5.0.4.14 has been released to remedy that.

Has anyone received any complaints for IOS devices having to accept the new certificates and specifically IOS7 devices having to accept multiple times??