Configuring Certificate Authentication for WebUI Access

The managed device supports client certificate authentication for users accessing the WebUI. (The default is for username and password authentication.) You can use client certificate authentication only or client certificate authentication with username and password (if certificate authentication fails, the user can log in with a configured username and password).

Each managed device can support a maximum of ten management users.

To use client certificate authentication, you must do the following:

  1. Obtain a client certificate and import the certificate into the managed device. Obtaining and importing a client certificate is described in Managing Certificates.
  2. Configure certificate authentication for WebUI management. You can optionally also select username and password authentication.
  3. Configure a user with a management role. Specify the client certificate for authentication of the user.

The following procedure describes how to configure certificate authentication:

  1. In the Managed Network node hierarchy, navigate to the Configuration > System > Admin tab and expand the Admin Authentication Options accordion.
  2. Under WebUI Authentication, set Client Certificate to Enabled. You can select Username/Password as well; in this case, the user is prompted to manually enter the username and password only if the client certificate is invalid.
  3. Select the Server Certificate to be used for this service.

By default, the default-self-signed certificate is used as the server certificate. For more details on default-self-signed certificate, see Managing Certificates.

  1. Click Submit.
  2. Click Pending Changes.
  3. In the Pending Changes window, select the check box and click Deploy changes.
  4. To configure the management user, navigate to the Configuration > System > Admin tab and expand the Management User accordion.
    1. Select Enable Local Authentication as needed.
    2. Click Show users with certificate authentication and click +.
    3. Select WebUI.
    4. Enter the username.
    5. Select the user role assigned to the user upon validation of the client certificate.
      Starting from ArubaOS 8.1.0.0, a new management role, standard role, is supported. This role has root privileges but cannot make changes to the management users.
    6. Enter the serial number for the client certificate.
    7. Select the name of the CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. that issued the client certificate.
    8. Click Submit.
    9. Click Pending Changes.
    10. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure certificate authentication:

(host) [md] (config) #web-server profile

(host) [md] (Web Server Configuration) #mgmt-auth certificate

(host) [md] (Web Server Configuration) #switch-cert <certificate>

(host) [md] (Web Server Configuration) #!

(host) [md] (config) #mgmt-user webui-cacert <certificate-name> serial <number> <username> <rolename>