Configuring EST on the Controller
You can configure multiple EST profiles on a Controller, with different parameters using the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. but only one will be activated using a global non-profile command.
This section contains the following topics:
Important Points to Remember
For smooth deployment, EST activation should be done first on the MM and then on the MDs.
EST server configuration should be common across all the Controllers deployed in the enterprise.
Prerequisites
Before configuring EST, ensure you complete the following prerequisites:
1. Import the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. or signing authority of EST server's SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. certificate on the Controller. For more information on importing certificates, refer to Managing Certificates.
2. Ensure time synchronization between all the devices involved in EST enrollment. For more information on time synchronization, refer to Clock Synchronization.
3. If EST profile contains an FQDN Fully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. as the server host, ensure that the DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. Server and domain name are configured on the enrolling devices. For information on configuring a DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. Server and a DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. name, refer to Configuring DHCP Address pool.
4. If the EST server port is different from the default Port 443, ensure the corporate firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. allows the configured port.
5. Ensure that the server-host configured as part of the EST profile matches the Common Name or SubjectAltName fields of the EST Server’s certificate which is used during SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. handshake.
6. For Remote AP deployments, if the IPSEC inner pool address range is not a routable network within the enterprise domain, it is recommended to configure the route source nat rule so that traffic gets srcnat with the Controller’s IP address to reach the EST server. The route srcnat rule should be only to the EST server as the destination host and respective port number used as part of EST profile parameters. For more information on configuring route source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host., refer to Enabling Remote AP Advanced Configuration Options.
7. When ClearPass Policy Manager is used as the EST server, the default EST services are enabled with the SHA512 RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. signature which is unsupported on the AP. The RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. settings must be changed to either SHA256 or SHA384 in order to enroll EST on both the AP and the Controller successfully.
Enhancements to EST Profile
Starting from ArubaOS 8.6.0.0, the following EST enhancements can be configured by the user,
•Users can configure the username and password for authentication. These credentials are used during the enrollment process and the server will use these credentials for authenticating the clients.
|
The Username/password authentication and the challenge-password authentication methods are mutually exclusive. Only one of the authentication methods can be used. CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. and WebUI will throw an error when both of the authentication methods are configured at the same time. |
• Users can configure the optional parameter, Organizational Unit Name (OU) in the EST profile. If this field is configured, OU is inserted in the CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. and subsequently becomes part of the enrolled EST certificate.
• Users can configure arbitrary labels for EST enrollment and re-enrollment to perform different EST operations. The arbitrary label will be used for CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. cert operations. The arbitrary enrollment label and the arbitrary re-enrollment label will be used for CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. Attributes operations. These two labels are optional parameters and if not configured the default arbitrary label will be used for enrollment and re-enrollment of EST server.
• EST client will use the already enrolled certs during re-enrollment.
• Users can change the credentials in an already activated EST profile and use the latest credentials without de-activating and re-activating the EST profile. This enhancement will avoid unnecessary AP reboot while changing the credentials. Only the username, password and challenge-password fields are allowed to change. Any change to the other profile parameters is not allowed.
Configuring an EST Profile
The following procedure describes how to configure a new EST profile.
1. Before configuring an EST profile, you must import the trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. to the Controller.
a. In the node hierarchy, navigate to the tab.
b. Click in the section.
c. Enter the name of the trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. in the text box.
d. Enter the certificate filename of the trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. in the text box. Click the button to enter the full pathname.
e. Enter an and re-type the passphrase.
f. Select a certificate format from the drop-down list. You can import certificates of format PEM, DER, and PKCS7.
g. Select from the Certificate type drop-down list.
h. Click . The certificate appears in the section.
2. To configure a new EST profile on the Controller using the WebUI.
a. In the node hierarchy, navigate to the tab.
b. In the menu, expand .
c. In the , click to create a new profile.
d. Enter a name for the EST profile in the text box.
e. Enter the hostname of the EST server in the text box.
f. The default Server port is 443. You may choose to enter a different EST server port in the Server port text box.
g. You can optionally enter a password in the text box.
h. If you chose to enter a challenge password, retype the password in the text box.
i. Enter an arbitrary label in the text box.
j. Enter the certificate name of the EST server (same as in Step 1c) in the textbox.
k. Enter the Organizational Unit Name in the text box.
l. Enter an arbitrary enrolment label in the text box.
m. Enter an arbitrary reenrollment label in the text box.
n. Enter the and for EST authentication.
o. Click . the EST profile appears under the section of the menu.
3. To complete EST enrollment on the Controller, you must activate the EST profile.
a. In the node hierarchy, navigate to the tab.
b. Expand the accordion.
c. Set the Enable certificate provisioning using EST protocol toggle switch to active.
d. Select the EST profile from the drop-down list.
e. Click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a new EST profile.
(host) [mynode] (config)# est profile <profile_name>
(host) [mynode] (EST Profile <profile_name>)# arbitrary-label <arbitrary-label>
(host) [mynode] (EST Profile <profile_name>)# arbitrary-label-enrollment <arbitrary enrollment label >
(host) [mynode] (EST Profile <profile_name>)# arbitrary-label-reenrollment <arbitrary reenrollment label >
(host) [mynode] (EST Profile <profile_name>)# challenge-password <password>
(host) [mynode] (EST Profile <profile_name>)# clone <source>
(host) [mynode] (EST Profile <profile_name>)#organizational-unit-name <organizational-unit-name>
(host) [mynode] (EST Profile <profile_name>)# server-host <IPv4 address/hostname>
(host) [mynode] (EST Profile <profile_name>)# server-port <port_number>
(host) [mynode] (EST Profile <profile_name>)# trustanchor-name <name>
(host) [mynode] (EST Profile <profile_name>)# username <username>
(host) [mynode] (EST Profile <profile_name>)# password <password>
(host) [mynode] (EST Profile <profile_name>)# end
Activate an EST profile using the CLI
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command activates an existing EST profile.
(host) [mynode] (config)# est-activate <profile_name>