Mapping AP Certificates

APs can have numerous types of certificates. For example, factory installed device certificate required for perpetuity, user uploaded certificates, certificates used for Classic Central and Activate, or certificates provisioned under EST. As part of AP group configuration, when an AP joins or is moved to a new group that mandates specific certificate usage criteria, those certificates are uploaded or provisioned as per configuration. As part of the group-certificate usage, some existing certificates may be updated or replaced. For example, the previous group may have used the TPM Trusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. factory certificate for AP1X, but the new group may specify a customer user certificate.

On Classic Central, when AP is configured to use EST certificate, Radsec uses EST client certificate and can have custom CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. for TLS Transport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. connection.

To map an AP certificate name to a specific certificate type or category, complete the following steps:

1. In the WebUI, set the filter to a group containing at least one AP.

   The dashboard context for the group is displayed.

2. Under Manage, click Devices > Access Points.

   A list of APs is displayed in the List view.

3. Click the Config icon.

   The tabs to configure the APs are displayed.

4. Click Show Advanced.
5. Click the Security tab.

   The Security page is displayed.

6. Expand the Certificate Usage accordion.
7. To map a certificate, for each usage type under Usage Type, select the suitable certificate from the Certificate drop-down list:
   • Certificate Authority—To verify the identity of a client.
   • Authentication Server—To verify the identity of the server to a client.
   • Captive Portal—To verify the identity of internal captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. server.

     The following option defines the following URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.:

     • default refers securelogin.arubanetworks.com
     • aruba_default refers securelogin.hpe.com

   • Radsec use EST Server—Turn on the Radsec use EST Server toggle switch to allow EST certificates to be used in RadSec applications.

     • To enable Radsec use EST Server, you must enable EST Activate in EST Profile.
     • If Radsec use EST Server is enabled, RadSec Client Cert is disabled in Certificate Usage.
   • RadSec Client Cert—Certificate used by the AP to identify itself to the RadSec server.
   • RadSec CA—To validate the certificate presented by the TLS (RadSec) server.
   • Clearpass—To verify the identity of the ClearPass ClearPass is an access management system for creating and enforcing policies across a network to all devices and applications. The ClearPass integrated platform includes applications such as Policy Manager, Guest, Onboard, OnGuard, Insight, Profile, QuickConnect, and so on. server.

   • AP1X CA—Sets the CA certificate used for 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication.

   • AP1X Client Cert—Sets the certificate used for 802.1X authentication.

   • WebCC CA Cert—Sets the CA certificate used for web content classification.

   • IOT CA Cert—Sets the CA certificate used for IoT Internet of Things. IoT refers to the internetworking of devices that are embedded with electronics, software, sensors, and network connectivity features allowing data exchange over the Internet..

8. Click Save Settings.