You are here: Home > CLI Commands > Just_CLI_Topics > web-server profile

web-server profile

web-server profile

absolute-session-timeout <30-3600>

bypass-cp-landing-page

captive-portal-cert <name>

ciphers {high|low|medium}

exclude-http-security-headers

idp-cert <idp-cert>

mgmt-auth [certificate] [username/password]

no ...

session-timeout <session-timeout>

ssl-protocol [tlsvl | tlsvl.1 | tlsvl.2]

switch-cert <name>

via-client-cert-port <via-client-cert-port>

web-https-port-443

web-max-clients <web-max-clients>

Description

This command configures the Mobility Master’s web server.

Syntax

Parameter

Description

Range

Default

absolute-session-timeout <30-3600>

Specifies the absolute time after which the WebUI session times out post a successful authentication.

30-3600 seconds

0 (disabled)

bypass-cp-landing-page

If disabled, the Mobility Master uses the new redirection scheme also known as the landing page by default including the meta tag. This can reduce the CPUCentral Processing Unit. A CPU is an electronic circuitry in a computer for processing instructions. load on the Mobility Master. The Mobility Master falls back to the old redirection scheme if this parameter is enabled.

disabled

captive-portal-cert

 

Specifies the name of the server certificate associated with captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.. Use the show crypto-local pki ServerCert command to see the server certificates installed in the Mobility Master.

default

ciphers

 

Configures the strength of the cipher suite:

high: encryption keys larger than 128 bits

low: 56 or 64 bit encryption keys

medium: 128 bit encryption keys

NOTE: This command is not available in FIPSFederal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. software images because ciphers are pre-configured only to acceptable values.

high, low, medium

high

exclude-http-security-headers

Excludes security headers from HTTPHypertext Transfer Protocol. The HTTP is an application protocol to transfer data over the web. The HTTP protocol defines how messages are formatted and transmitted, and the actions that the w servers and browsers should take in response to various commands. response.

idp-cert

Specifies the IDP certificate name configured in the Mobility Master.

mgmt-auth

Specifies the authentication method for the management user; you can choose to use either username or password or certificates, or both username or password and certificates.

username/
password, certificate

username/
password

no

Negates any configured parameter.

session-timeout <session-timeout>

Specifies the time of inactivity after which the WebUI session times out and requires login for continued access.

30-3600 seconds

900 seconds

ssl-protocol

Specifies the SSLSecure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. or TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. protocol version used for securing communication with the web server:

TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1

TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.1

TLSTransport Layer Security. TLS is a cryptographic protocol that provides communication security over the Internet. TLS encrypts the segments of network connections above the Transport Layer by using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity. v1.2

tlsv1 tlsv1.1 tlsv1.2

switch-cert

Specifies the name of the server certificate associated with WebUI access. Use the show crypto-local pki ServerCert command to see the server certificates installed in the Mobility Master.

default

via-client-cert-port <via-client-cert-port>

Configures a port for VIA client certificate-based authentication.

web-https-port-443

Enables WebUI access on the HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. port (443). When you connect to the WebUI using https (tcp port 443), the Mobility Master continues using port 443 and no longer redirects to port 4343.

web-max-clients <web-max-client>

Configures the web server’s maximum number of supported concurrent clients.

25-320

75

Usage Guidelines

There is a default server certificate installed in the Mobility Master, However this certificate does not guarantee security in production networks. Best practices are to replace the default certificate with a custom certificate issued for your site by a trusted CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.. See the ArubaOS User Guide for more information about how to generate a CSRCertificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. to submit to a CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. and how to import the signed certificate received from the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. into the Mobility Master. After importing the signed certificate into the Mobility Master, use the web-server profile command to specify the certificate for captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. or WebUI access. If you need to specify a different certificate for captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. or WebUI access, use the no command to revert back to the default certificate before you specify the new certificate (see the Example section).

You can use client certificates to authenticate management users. If you specify certificate authentication, you need to configure certificate authentication for the management user with the mgmt-user webui-cacert command.

Example

The following commands configure WebUI access with client certificates only, and specify the server certificate for the Mobility Master:

(host) [/md] (config) #web-server profile

(host) [/md] (Web Server Configuration) #mgmt-auth certificate

(host) [/md] (Web Server Configuration) #switch-cert ServerCert1

(host) (Web Server Configuration) #!

(host) [/md] (config) #mgmt-user webui-cacert test_string serial 1111 admin root

To specify a different server certificate, use the no command to revert back to the default certificate before you specify the new certificate:

(host) [/md] (config) #web-server profile

(host) [/md] (Web Server Configuration) #mgmt-auth certificate

(host) [/md] (Web Server Configuration) #switch-cert ServerCert1

(host) [/md] (Web Server Configuration) #no switch-cert

(host) [/md] (Web Server Configuration) #switch-cert ServerCert2

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

The web-server ciphers and web-server ssl-protocol commands require the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Config mode on Mobility Master.

/*]]>*/