Authentication Certificates

A certificate is a digital file that certifies the identity of the organization or products of the organization. It is also used to establish your credentials for any web transactions. It contains the organization name, a serial number, expiration date, a copy of the certificate-holder's public key The part of a public-private key pair that is made public. The public key encrypts a message and the message is decrypted with the private key of the recipient., and the digital signature of the certificate-issuing authority so that a recipient can ensure that the certificate is real.

There is a default server certificate installed in the controller to demonstrate the authentication of the controller for Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and WebUI management access. However, this certificate does not guarantee security in production networks. Aruba strongly recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate..

Instant supports the following certificate files:

Authentication server (PEM format)

Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server (PEM format)—Customized certificate for internal captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server

CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate (PEM or DER format)

RadSec certificate (PEM or DER format)

WebUI certificate (PEM format)

This section describes the following procedures:

Loading Certificates in the WebUI

Loading Certificates Through Instant CLI

Removing Certificates

Loading Certificates Through AirWave

Loading Certificates in the WebUI

Table 1: Loading Certificates in the WebUI
New WebUI	Old WebUI
1. Navigate to the Maintenance > Certificates page. 2. To upload a certificate, click Upload New Certificate. The New Certificate window is displayed. 3. Browse and select the file to upload. Select any of the following types of certificates from the Certificate type drop-down list: a. CA—CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate to validate the identity of the client. b. Auth Server—The authentication server certificate to verify the identity of the server to the client. c. Captive portal server—Captive portal server certificate to verify the identity of internal captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server to the client. d. RadSec—The RadSec server certificate to verify the identity of the server to the client. e. RadSec CA—The RadSec CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for mutual authentication between the Instant AP clients and the TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. server. f. WebUI—Customized certificate for WebUI management. 4. Select the certificate format from the Certificate format drop-down list. 5. If you have selected Auth Server, Captive portal server, WebUI, or RadSec as the type of certificate, enter a passphrase in Passphrase and retype the passphrase. If the certificate does not include a passphrase, there is no passphrase required. 6. Click Browse and select the appropriate certificate file, and click Upload Certificate. The Certificate Successfully Installed message is displayed.	1. Click the Maintenance link located directly above the Search bar in the Instant main window. 2. Click the Certificates tab. The Certificates tab contents are displayed. 3. To upload a certificate, click Upload New Certificate. The New Certificate window is displayed. 4. Browse and select the file to upload. Select any of the following types of certificates from the Certificate type drop-down list: a. CA—CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate to validate the identity of the client. b. Auth Server—The authentication server certificate to verify the identity of the server to the client. c. Captive portal server—Captive portal server certificate to verify the identity of internal captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server to the client. d. RadSec—The RadSec server certificate to verify the identity of the server to the client. e. RadSec CA—The RadSec CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate for mutual authentication between the Instant AP clients and the TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. server. f. WebUI—Customized certificate for WebUI management. 5. Select the certificate format from the Certificate format drop-down list. 6. If you have selected Auth Server, Captive portal server, WebUI, or RadSec as the type of certificate, enter a passphrase in Passphrase and retype the passphrase. If the certificate does not include a passphrase, there is no passphrase required. 7. Click Browse and select the appropriate certificate file, and click Upload Certificate. The Certificate Successfully Installed message is displayed.
NOTE: The Instant AP database can have only one authentication server certificate and one captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server certificate at any point in time. NOTE: When a Captive Portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server certificate is uploaded with the WebUI option selected, the default management certificate on the Instant WebUI is also replaced by the Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server certificate.

Loading Certificates Through Instant CLI

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command uploads a CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate., server, WebUI, or captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. certificate:

(Instant AP)# copy tftp <ip-address> <filename> {cpserver cert <password> format {p12|pem}| radsec {ca|cert <password>} format pem|system {1xca format {der|pem}| 1xcert <password> format pem} uiserver cert <password> format pem}

(Instant AP)# download-cert radsec ftp://192.0.2.7 format pem [psk <psk>]

(Instant AP)# download-cert radsecca ftp://192.0.2.7 format pem

Removing Certificates

(Instant AP)# clear-cert {ca|cp|radsec|radsecca|server}

Loading Certificates Through AirWave

You can manage certificates using AirWave. The AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. directly provisions the certificates and performs basic certificate verification (such as certificate type, format, version, serial number, and so on) before accepting the certificate and uploading to an Instant AP network. The AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. packages the text of the certificate into an HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. message and sends it to the virtual controller. After the virtual controller receives this message, it draws the certificate content from the message, converts it to the right format, and saves it on the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. server.

To load a certificate in AirWave:

1. Navigate to Device Setup > Certificates and then click Add to add a new certificate. The Certificate window is displayed.

2. Enter the certificate Name, and click Choose File to browse and upload the certificate.

3. Select the appropriate Format that matches the certificate filename.

Select Server Cert for certificate Type, and provide the passphrase if you want to upload a server certificate.

Select either Intermediate CA or Trusted CA certificate Type, if you want to upload a CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate.

4. After you upload the certificate, navigate to Groups, click the Instant Group and then select Basic. The Group name is displayed only if you have entered the Organization name in the WebUI. For more information, see Shared Key for further information.

The Virtual Controller Certificate section displays the certificates (CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. cert and Server).

5. Click Save to apply the changes only to AirWave. Click Save and Apply to apply the changes to the Instant AP.

6. To clear the certificate options, click Revert.

Loading Customized Certificates from AirWave

AirWave also provides users with the option of uploading customized certificates on the Instant AP. The customized certificate is uploaded on AirWave and then pushed to the Instant AP from the AirWave UI User Interface..

Before uploading the new customized certificate, ensure that you uninstall any existing customized certificates on the Instant AP:

(Instant AP)# clear-cert-airwaveca

Upload the customized certificate to AirWave and push it to the Instant AP. Refer to Loading Certificates Through AirWave

Once the new customized certficate is uploaded to the Instant AP, verify the certfication installation using the following command:

(Instant AP)# show ap checksum

Perform these steps after you have verified that the new customized certificate is successfully installed on the Instant AP:

1. Delete PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. configuration from the Instant AP using the following command:

(Instant AP)(config)# no ams-key

2. Add a DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. server and link the AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. IP address with the domain name of the new customized certificate.

3. Configure the AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. IP address

(Instant AP)(config)# ams-ip <domain_name>

4. In the AirWave UI User Interface., navigate to AMP Setup > General > Aruba Instant Options > Change SSL Change and click Change. Ensure you delete the ams-key for cert-only mode or cert and psk mode.

5. Add the Instant AP to AMP AirWave Management Platform. AMP is a network management system for configuring, monitoring, and upgrading wired and wireless devices on your network. again.