Configuring EST on the Controller

You can configure multiple EST profiles on a Controller, with different parameters using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. but only one will be activated using a global non-profile command.

This section contains the following topics:

Important Points to Remember

For smooth deployment, EST activation should be done first on the MM and then on the MDs.

EST server configuration should be common across all the Controllers deployed in the enterprise.

Prerequisites

Before configuring EST, ensure you complete the following prerequisites:

1. Import the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. or signing authority of EST server's SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. certificate on the Controller. For more information on importing certificates, refer to Managing Certificates.

2. Ensure time synchronization between all the devices involved in EST enrollment. For more information on time synchronization, refer to Clock Synchronization.

3. If EST profile contains an FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. as the server host, ensure that the DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. Server and domain name are configured on the enrolling devices. For information on configuring a DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. Server and a DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. name, refer to Configuring DHCP Address pool.

4. If the EST server port is different from the default Port 443, ensure the corporate firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. allows the configured port.

5. Ensure that the server-host configured as part of the EST profile matches the Common Name or SubjectAltName fields of the EST Server’s certificate which is used during SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. handshake.

6. For Remote AP deployments, if the IPSEC inner pool address range is not a routable network within the enterprise domain, it is recommended to configure the route source nat rule so that traffic gets srcnat with the Controller’s IP address to reach the EST server. The route srcnat rule should be only to the EST server as the destination host and respective port number used as part of EST profile parameters. For more information on configuring route source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host., refer to Enabling Remote AP Advanced Configuration Options.

7. When ClearPass Policy Manager is used as the EST server, the default EST services are enabled with the SHA512 RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. signature which is unsupported on the AP. The RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. settings must be changed to either SHA256 or SHA384 in order to enroll EST on both the AP and the Controller successfully.

Enhancements to EST Profile

Starting from ArubaOS 8.6.0.0, the following EST enhancements can be configured by the user,

•Users can configure the username and password for authentication. These credentials are used during the enrollment process and the server will use these credentials for authenticating the clients.

 

The Username/password authentication and the challenge-password authentication methods are mutually exclusive. Only one of the authentication methods can be used. CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. and WebUI will throw an error when both of the authentication methods are configured at the same time.

• Users can configure the optional parameter, Organizational Unit Name (OU) in the EST profile. If this field is configured, OU is inserted in the CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. and subsequently becomes part of the enrolled EST certificate.

• Users can configure arbitrary labels for EST enrollment and re-enrollment to perform different EST operations. The arbitrary label will be used for CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. cert operations. The arbitrary enrollment label and the arbitrary re-enrollment label will be used for CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. Attributes operations. These two labels are optional parameters and if not configured the default arbitrary label will be used for enrollment and re-enrollment of EST server.

• EST client will use the already enrolled certs during re-enrollment.

• Users can change the credentials in an already activated EST profile and use the latest credentials without de-activating and re-activating the EST profile. This enhancement will avoid unnecessary AP reboot while changing the credentials. Only the username, password and challenge-password fields are allowed to change. Any change to the other profile parameters is not allowed.

Configuring an EST Profile

The following procedure describes how to configure a new EST profile.

1. Before configuring an EST profile, you must import the trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. to the Controller.

a. In the Mobility Master node hierarchy, navigate to the Configuration > System > Certificates tab.

b. Click + in the Import Certificates section.

c. Enter the name of the trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. in the Certificate name text box.

d. Enter the certificate filename of the trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. in the Certificate filename text box. Click the Browse button to enter the full pathname.

e. Enter an Optional passphrase and re-type the passphrase.

f. Select a certificate format from the Certificate format drop-down list. You can import certificates of format PEM, DER, and PKCS7.

g. Select TrustedCA from the Certificate type drop-down list.

h. Click Submit. The certificate appears in the Import Certificates section.

2. To configure a new EST profile on the Controller using the WebUI.

a. In the Mobility Master node hierarchy, navigate to the Configuration > System > Profiles tab.

b. In the All Profiles menu, expand EST profile > EST.

c. In the EST Profile: New Profile section, click + to create a new profile.

d. Enter a name for the EST profile in the Profile name text box.

e. Enter the hostname of the EST server in the Server host text box.

f. The default Server port is 443. You may choose to enter a different EST server port in the Server port text box.

g. You can optionally enter a password in the Challenge password text box.

h. If you chose to enter a challenge password, retype the password in the Retype text box.

i. Enter an arbitrary label in the Arbitrary label text box.

j. Enter the certificate name of the EST server (same as in Step 1c) in the Server's CA cert name textbox.

k. Enter the Organizational Unit Name in the Organizational Unit Name text box.

l. Enter an arbitrary enrolment label in the Arbitrary enrolment label text box.

m. Enter an arbitrary reenrollment label in the Arbitrary reenrollment label text box.

n. Enter the Username and password for EST authentication.

o. Click Submit. the EST profile appears under the EST Profile > EST section of the All Profiles menu.

3. To complete EST enrollment on the Controller, you must activate the EST profile.

a. In the Mobility Master node hierarchy, navigate to the Configuration > System > Certificates tab.

b. Expand the Enrollment over Secure Transport accordion.

c. Set the Enable certificate provisioning using EST protocol toggle switch to active.

d. Select the EST profile from the EST server drop-down list.

e. Click Submit.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a new EST profile.

(host) [mynode] (config)# est profile <profile_name>

(host) [mynode] (EST Profile <profile_name>)# arbitrary-label <arbitrary-label>

(host) [mynode] (EST Profile <profile_name>)# arbitrary-label-enrollment <arbitrary enrollment label >

(host) [mynode] (EST Profile <profile_name>)# arbitrary-label-reenrollment <arbitrary reenrollment label >

(host) [mynode] (EST Profile <profile_name>)# challenge-password <password>

(host) [mynode] (EST Profile <profile_name>)# clone <source>

(host) [mynode] (EST Profile <profile_name>)#organizational-unit-name <organizational-unit-name>

(host) [mynode] (EST Profile <profile_name>)# server-host <IPv4 address/hostname>

(host) [mynode] (EST Profile <profile_name>)# server-port <port_number>

(host) [mynode] (EST Profile <profile_name>)# trustanchor-name <name>

(host) [mynode] (EST Profile <profile_name>)# username <username>

(host) [mynode] (EST Profile <profile_name>)# password <password>

(host) [mynode] (EST Profile <profile_name>)# end

Activate an EST profile using the CLI

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command activates an existing EST profile.

(host) [mynode] (config)# est-activate <profile_name>