Managing Certificates

The Mobility Master is designed to provide secure services through the use of digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth.. Certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. provide security when authenticating users and computers and eliminate the need for less secure password-based authentication.

This section describes the following topics:

About Digital Certificates

Obtaining Server Certificate

Obtaining Client Certificate

Importing Certificates

Viewing Certificate Information

Imported Certificate Locations

Checking CRLs

Chained Certificates on the Remote AP

Marking the USB Device Connected as a Storage Device

Starting from ArubaOS 8.0.1.0, Mobility Master and managed devices generate a default certificate (controller-issued server certificate) to demonstrate the authentication of the managed device for captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. and WebUI management access while booting. The controller-issued server certificate is used as the default certificate for WebUI authentication, 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. termination, and SSO Single Sign-On. SSO is an access-control property that allows the users to log in once to access multiple related, but independent applications or systems to which they have privileges. The process authenticates the user across all allowed resources during their session, eliminating additional login prompts..

 

The default-self-signed server certificate in ArubaOS 8.0.0.0 is changed to controller-issued server certificate in ArubaOS 8.0.1.0.

Aruba strongly recommends that you replace the default certificate with a custom certificate issued for your site or domain by a trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.. This section describes how to generate a CSR Certificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate. to submit to a CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. and how to import the signed certificate received from the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. into the managed device.

The managed device supports client authentication using digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth. for specific user-centric network services, such as AAA Authentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. FastConnect, VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. (see Virtual Private Networks), and WebUI and SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. management access. Each service can employ different sets of client and server certificates.

During certificate-based authentication, the managed device provides its server certificate to the client for authentication. After validating the server certificate of the managed device, the client presents its own certificate to the managed device for authentication. To validate the client certificate, the managed device checks the CRL Certificate Revocation List. CRL is a list of revoked certificates maintained by a certification authority. maintained by the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. that issued the client certificate. After validating the certificate of the client, the managed device can check the user name in the certificate with the configured authentication server (this action is optional and configurable).

 

To ensure that the clients are always connected to the captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users. page through SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet., you must create a bundle of chained certificates and concatenate the bundle to the signed server certificate as part of webserver configuration.

When using X.509 X.509 is a standard for a public key infrastructure for managing digital certificates and public-key encryption. It is an essential part of the Transport Layer Security protocol used to secure web and email communication. certificates for authentication, if a banner message has been configured on the managed device, it displays before the user can login. Click on the Login button after viewing the banner message to complete the login process.