You are here: Home > Configuring ArubaOS Features > Management Access > Managing Certificates

Managing Certificates

The Mobility Master is designed to provide secure services through the use of digital certificatesA digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth.. CertificatesA digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. provide security when authenticating users and computers and eliminate the need for less secure password-based authentication.

This section describes the following topics:

Managing Certificates

Managing Certificates

Managing Certificates

Managing Certificates

Managing Certificates

Managing Certificates

Managing Certificates

Chained Certificates on the Remote AP

Marking the USB Device Connected as a Storage Device

Starting from ArubaOS 8.0.1.0, Mobility Master and managed devices generate a default certificate (controller-issued server certificate) to demonstrate the authentication of the managed device for captive portalA captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and WebUI management access while booting. The controller-issued server certificate is used as the default certificate for WebUI authentication, 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. termination, and SSOSingle Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts..

 

The default-self-signed server certificate in ArubaOS 8.0.0.0 is changed to controller-issued server certificate in ArubaOS 8.0.1.0.

Aruba strongly recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.. This section describes how to generate a CSRCertificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. to submit to a CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. and how to import the signed certificate received from the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. into the managed device.

The managed device supports client authentication using digital certificatesA digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. for specific user-centric network services, such as AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. FastConnect, VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. (see Virtual Private Networks), and WebUI and SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. management access. Each service can employ different sets of client and server certificates.

During certificate-based authentication, the managed device provides its server certificate to the client for authentication. After validating the server certificate of the managed device, the client presents its own certificate to the managed device for authentication. To validate the client certificate, the managed device checks the CRLCertificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. maintained by the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. that issued the client certificate. After validating the certificate of the client, the managed device can check the user name in the certificate with the configured authentication server (this action is optional and configurable).

 

When using X.509X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. certificates for authentication, if a banner message has been configured on the managed device, it displays before the user can login. Click on the Login button after viewing the banner message to complete the login process.

/*]]>*/