2011ArubaNetworksInc.
comodo 时间:2021-01-12 阅读:()
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SupportAdvisory:ArubaOSDefaultCertificateExpirationIssuedFebruary14,2011UpdatedApril8,2011Thisdocument,includingtheinformationitcontainsandtheprogramsmadeavailablethroughthelinksthatitincludes,isprovidedtoyouonan"asis"basis.
ARUBAANDITSSUPPLIERSDONOTWARRANTTHATSUCHINFORMATIONORTHEFUNCTIONSCONTAINEDINSUCHPROGRAMSWILLMEETYOURREQUIREMENTSORTHATTHEOPERATIONOFTHEPROGRAMSWILLBEUNINTERRUPTEDORERROR-FREE.
THEINFORMATIONANDPROGRAMSAREPROVIDEDTOYOUWITHNOWARRANTYOFANYKIND,EXPRESSORIMPLIED,INCLUDINGWITHOUTLIMITATION,ANYIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENT.
INNOEVENTWILLARUBA,ITSSUPPLIERS,ORANYONEELSEWHOHASBEENINVOLVEDINTHECREATION,PRODUCTION,ORDELIVERYOFTHEINFORMATIONORPROGRAMSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTALORCONSEQUENTIALDAMAGES,INCLUDINGWITHOUTLIMITATION,LOSTPROFITSORLOSTDATA,THATMAYARISEOUTOFYOURUSEOFORFAILURETOUSETHEINFORMATIONORPROGRAMS,EVENIFARUBAORSUCHOTHERENTITIESHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
THEFOREGOINGSHALLNOTBEDEEMEDTOPRECLUDEANYLIABILITYWHICH,UNDERAPPLICABLEPRODUCTSLIABILITYLAW,CANNOTBEPRECLUDEDBYCONTRACT.
ThisdocumentisbeingprovidedtoyoupursuanttotheprovisionsofyourapplicablesoftwarelicenseagreementwithAruba,andtheinformationandprogramsmaybeusedonlypursuanttothetermsandconditionsofsuchagreement.
ThisArubaSecurityAdvisorconstitutesArubaProprietaryInformationandshouldnotbedisseminated,forwardedordisclosed.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SummaryOnJune29,2011thedefaultSSL/TLScertificate"securelogin.
arubanetworks.
com"thatisinstalledonallArubacontrollerswillexpire.
Whilethisdefaultcertificatewasneverintendedforproductionuse,Arubaisawarethatanumberofcustomersareusingthiscertificateinproductionnetworks.
Thesecustomerswillneedtoreplacethecertificate.
Affectedcustomershavetwooptions:1.
Replacethedefaultcertificatewithacertificateissuedbyaninternalcertificateauthorityorapubliccertificateauthority.
Thisoptionisrecommendedandprovidesthegreatestsecurity.
2.
UpgradetheArubaOSimagetoaversionnumberequaltoorgreaterthan3.
3.
3.
10,3.
4.
4.
2,5.
0.
3.
2,6.
0.
1.
1,or6.
1.
0.
0.
Thesesoftwareimagescontainanewdefaultcertificatethatwillreplacetheexpiringcertificate.
Thisoptiondoesnotprovidegoodsecurity,sinceallArubacustomershaveaccesstothesamecertificateandimpersonationattacksarepossible.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
BackgroundTheArubaOSoperatingsystemloadedonallArubaMobilityControllerscontainsapre-loadeddigitalcertificatewiththename"securelogin.
arubanetworks.
com".
Thiscertificatewasissuedbyapubliccertificateauthority(CA)thatistrustedbymostbrowsersandoperatingsystems.
Bydefaultthecertificateisusedforthecontroller'smanagementinterface(WebUI),captiveportal,andEAPtermination.
Thiscertificateisintendedforquicklysettinguplabnetworks,demonstrations,andproof-of-conceptdeployments.
Asstatedintheuserguide,thedefaultcertificateisnotintendedforproductiondeployment,sinceeveryArubacontrollercontainsthesamecertificateandthisenablesimpersonationattacks.
Thefollowingtextsummarizestherisks:CaptivePortal:Anattackerimpersonatingacaptiveportalloginscreenmaybeabletoobtaintheusernameandpasswordofauthorizedusersonthesystem.
Ifcaptiveportalisusedonlyforguestaccess,thismaynotbedeemedaserioussecurityrisk.
Ifcaptiveportalisusedtoauthenticateinternalusers,thisattackcouldcausemoreseriousdamage.
AdministrativeWebUI:Tocarryoutanimpersonationattackagainstthecontroller'sadministrativeWebUI,theattackerwouldneedtointercepttrafficbetweenasystemadministrator'scomputerandthecontroller.
Thiswouldtypicallyrequireaninsiderattack,assumingadministrativeaccessisblockedfrompublicnetworks.
Theriskisseriousinthiscase,sinceasuccessfulattackwouldallowanunauthorizedpersontoobtainadministrativecredentialsfortheArubacontroller.
TheWebUIcertificateshouldalwaysbereplaced,evenifwithaself-signedcertificatethateachsystemadministratormustexplicitlytrust.
802.
1XEAPTermination:Thisistheriskiestuseofthedefaultcertificate,becauseanimpersonationattackmaybecarriedoutoverawirelessnetwork,andasuccessfulattackmayrevealusernamesandpasswordhashes(providingmaterialforanofflinepasswordcrackingattempt)orallowtheattackertogetauserconnectedtoahostilenetworkwhiletheuserthinksheorsheisconnectedtoatrustednetwork.
Thedefaultcertificateshouldneverbeusedfor802.
1X.
Arubaisawarethatsomecustomersdousethedefaultcertificateinproduction,typicallyforsecuringthecaptiveportalloginscreeninguestnetworkswhereensuringtheidentityofthecontrollerisnotanimportantsecurityconsideration.
Thedefaultcertificatewasvalidforfiveyears,andwillexpireonJune29,2011.
Ifthenetworkadministratordoesnotreplacethecertificate,thefollowingwilloccur:1.
UsersconnectingtocaptiveportalorWebUIpageswillreceiveabrowserwarningshowingthattheservercertificatehasexpired.
Usersmaybypassthewarning(withvaryingdegreesofdifficultydependingonthebrowser)andcontinueontousethesystemnormally.
2.
IfEAPterminationhasbeenenabledfor802.
1X,andthedefaultcertificateisbeingusedastheservercertificate,manyclientoperatingsystemswillrefusetocontinuetheauthenticationprocess.
Thiswillresultinanapparentnetworkoutagefortheseusers.
Clientoperatingsystemsmayormaynotdisplayawarningmessagetotheuser.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Thisdocumentoutlinestheproceduresneededtoupdatethedefaultcertificate,inorderofpreference:Option1:InstallauniqueservercertificateOption2:UpgradeArubaOS2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option1:InstallaUniqueServerCertificateThisistherecommendedapproachsinceitprovidesthebestsecurity.
Inthisapproach,thedefaultcertificatewillremainonthecontroller,butyouwillloadoneormorenewcertificatesandthenconfigurethesystemtousethenewcertificate(s).
Ifyourorganizationoperatesaninternalcertificateauthority(CA)andallclientsthatwillusethesystemalreadytrusttheinternalCA,youmayusetheinternalCAtoissueanewcertificatetothecontroller.
Thisoptionisrecommendedfor802.
1XEAPterminationandWebUIadministrativeaccesstothecontroller.
Itcanalsobeusedforcaptiveportalaslongasthegeneralpublicwillnotbeaccessingthesystem(sincetheinternalCAwillnotbetrusted,thegeneralpublicwouldreceivebrowserwarnings.
)Ifpresentingacaptiveportalpagetocomputersownedbythegeneralpublic,acertificateissuedbyapublicCA(VeriSign,GeoTrust,Comodo,etc.
)shouldbeusedsothatbrowserwarningsarenotgenerated.
YoumaychoosetouseacertificateissuedbyapublicCAforWebUIadministrativeaccesstothecontrollerandfor802.
1XEAPterminationaswell,butuseofapublicCAinsteadofaninternalCAprovidesnobenefitinthosecases.
Beforerequestingacertificate,decidewhetheryouneeda1024-bitkey,2048-bitkey,or4096-bitkey.
NotethatmanypublicCAsnolongerissuecertificateswith1024-bitkeys.
IfyouarerunningArubaOS6.
1orgreater,youmayuseacertificatewitha2048-bitkeyforanypurpose.
Youmayuseacertificatewitha4096-bitkeyonlyforcaptiveportalandWebUI.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Tomaximizecompatibility,alwaysuseRSAunlessyouhaveaspecificreasontouseECC.
Ifyouarerunninganyreleasepriorto6.
1,youmayuseacertificatewitha2048-bitor4096-bitkeyonlyforcaptiveportalandWebUI.
802.
1XEAPterminationsupportsonly1024-bitkeys.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Thefollowinginstructionsshouldbefollowedtoobtainandinstallaservercertificate.
1.
GenerateaCertificateSigningRequest(CSR)fromthecontrollerbynavigatingtoConfigurationManagementCertificatesCSR.
Filloutthenecessaryfields.
Afterclicking"GenerateNew",thecontrollerwillgenerateaprivatekey,whichremainslockedinsidethecontroller,andabase64-encodedCSR.
TheCSRcontainsallthedetailsneededforyourCAtoissuethecertificate.
TheCommonName(CN)fieldshouldcontainthefullURLthatwebbrowserswillnavigatetoinordertoreachthecontroller'sembeddedwebserver.
TakecaretofillouttheCommonNamefieldcorrectlyaccordingtothepurposeofthecertificate:a.
Forcaptiveportal,thesystemwillautomaticallyissueHTTPredirectsandspoofDNSresponsestothecaptiveportalclientsothatthebrowserappearstobeconnectingtothecorrectDNSnamethatmatchesthecertificatecommonname.
Thisistoensurethatbrowserwarningsarenotgenerated.
Ifthecertificateisonlybeingusedforcaptiveportal,thenameintheCNfieldisunimportant–butmakesureitfallswithin2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
yourdomainnamesothatapublicCAwillcorrectlyauthorizeownershipofthecertificate.
b.
ForWebUI,theCNfieldshouldmatchtheaddressyouusetomanagethecontroller.
ThiscanbeanIPaddressoraFullyQualifiedDomainName(FQDN).
c.
For802.
1XEAPTermination,theCNfieldisnotmatchedbytheclientagainstanyotherparameter.
ItissuggestedthatyouchooseaFQDNthatisownedbyyourorganization.
2.
Clickon"ViewCurrent".
Copythebase64textshown,andpastethisintothecertificaterequestwindowprovidedbyyourcertificateauthority.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
3.
Onceyouhaveobtainedthecertificate,navigatetoConfigurationManagementCertificatesUploadanduploadthecertificatetothecontroller.
ThecertificatewillmostlikelybeprovidedtoyouinPEMorDERformat–ifyouarenotsurewhichformatitisin,tryPEMfirstandifanerrormessageresults,tryDER.
APEMformatcertificatewillbebase64-encodedandwillbeginwiththetext"-----BEGINCERTIFICATE-----".
4.
Ifyouwanttousethenewcertificateforcaptiveportal,navigatetoConfigurationManagementGeneralandchangetheCaptivePortalServerCertificate.
IfyouwanttousethenewcertificateforWebUI,configurationisfoundonthesamescreenunder"WebUIManagementAuthenticationMethod".
5.
IfyouwanttousethenewcertificateforEAPTermination,navigatetoConfigurationSecurityAuthenticationL2Authentication802.
1XAuthentication2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
ProfileAdvancedandchangetheservercertificateforallactive802.
1XauthenticationprofilesthatuseEAPTermination.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option2:UpgradeArubaOSArubahasobtainedanewcertificatelabeled"securelogin.
arubanetworks.
com"fromapublicCAthatreplacestheolddefaultcertificate.
ThenewcertificatehasanexpirationdateofNovember21,2013.
ThiscertificateisincludedaspartofthefollowingArubaOSsoftwarereleases:6.
1beginningwithrelease6.
1.
0.
06.
0beginningwithrelease6.
0.
1.
15.
0beginningwithrelease5.
0.
3.
23.
4beginningwithrelease3.
4.
4.
23.
3beginningwithrelease3.
3.
3.
10AllotherArubaOSreleasesdatedlaterthanJune1,2011Afterupgradingtooneoftheabovelistedreleases,nofurtheractionisrequiredtoenablethecertificate.
Ifthesystemwaspreviouslyconfiguredtousethedefaultcertificate,itwillautomaticallyusethenewlyupdatedcertificate.
Whilethisoptionprovidesthesamelevelofsecuritygivenbythepreviousdefaultcertificate,itisnotagoodoptionwhereanysecurityrequirementsexist.
SSL/TLSsecurityisprovidedbythecertificate'sprivatekeybeingkeptsecret.
Ifthecertificate'sprivatekeybecomesknown,itispossibleforanattackertoimpersonateanyserverorwebsiteusingthatcertificatewithouttheknowledgeoftheenduser.
BecausethesamecertificateandprivatekeyareinstalledonallArubacontrollers,anattackerneedonlyreverseengineerasinglesoftwareimagetoobtaintheprivatekey.
Whilethisprocessisnon-trivial,itiscertainlynotbeyondthemeansofaskilledanddeterminedattacker.
ItisalsopossibleforanattackertosimplypurchaseanduseanArubacontrollerforthepurposeofconductinganimpersonationattack.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
FAQQ:WhathappensifIhaveconfigured802.
1Xdevicesinmynetworktoonlytrustthe"securelogin.
arubanetworks.
com"certificate,ortoonlytrusttheEquifaxSecureCertificateAuthorityA:Thesedeviceswillneedtobereconfiguredafterinstallationofanewcertificate.
IftheseareWindowsdevices,UNCHECK"Connecttotheseservers"andUNCHECK"EquifaxSecureCertificateAuthority"intheTrustedRootCertificationAuthorities.
Afterconnectingtothecontrollerwiththenewcertificateinstalled,Windowswillupdatethesesettingsbypromptingtheuser.
Q:IsthecertificatebuiltintotheTPMchipaffectedbythisadvisoryA:No.
AllArubacontrollersthatcontainaTrustedPlatformModule(TPM),includingtheM3,3000series,and600series,containacertificateuniquetothecontrollerthathasbeenprogrammedatthefactory.
Thiscertificateisnotexpiringandisnotaffectedbythisadvisory.
ThiscertificateisusedforMaster-Localauthentication,ControlPlaneSecurity(CPsec),andRAPauthentication.
ItisnotsuitableforuseasanSSLcertificatesinceitwasissuedbyAruba'smanufacturingCA,whichisnottrustedbybrowsers.
Q:WhatcertificateauthoritywasusedtogeneratethenewcertificateWhatchainsdoesitcontain2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
A:ThenewcertificatewasissuedbyPositiveSSL,andultimatelychainsbackuptoUSERTrust,whichisissuedbyAddTrustExternalCARoot.
DevicesconnectingtothenetworkmusthaveUSERTrustinstalledasatrustedrootCAinorderfortheArubafactorydefaultcertificatetobetrusted.
UnderaWindowssystem,thecertificatechainappearsas
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SupportAdvisory:ArubaOSDefaultCertificateExpirationIssuedFebruary14,2011UpdatedApril8,2011Thisdocument,includingtheinformationitcontainsandtheprogramsmadeavailablethroughthelinksthatitincludes,isprovidedtoyouonan"asis"basis.
ARUBAANDITSSUPPLIERSDONOTWARRANTTHATSUCHINFORMATIONORTHEFUNCTIONSCONTAINEDINSUCHPROGRAMSWILLMEETYOURREQUIREMENTSORTHATTHEOPERATIONOFTHEPROGRAMSWILLBEUNINTERRUPTEDORERROR-FREE.
THEINFORMATIONANDPROGRAMSAREPROVIDEDTOYOUWITHNOWARRANTYOFANYKIND,EXPRESSORIMPLIED,INCLUDINGWITHOUTLIMITATION,ANYIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENT.
INNOEVENTWILLARUBA,ITSSUPPLIERS,ORANYONEELSEWHOHASBEENINVOLVEDINTHECREATION,PRODUCTION,ORDELIVERYOFTHEINFORMATIONORPROGRAMSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTALORCONSEQUENTIALDAMAGES,INCLUDINGWITHOUTLIMITATION,LOSTPROFITSORLOSTDATA,THATMAYARISEOUTOFYOURUSEOFORFAILURETOUSETHEINFORMATIONORPROGRAMS,EVENIFARUBAORSUCHOTHERENTITIESHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
THEFOREGOINGSHALLNOTBEDEEMEDTOPRECLUDEANYLIABILITYWHICH,UNDERAPPLICABLEPRODUCTSLIABILITYLAW,CANNOTBEPRECLUDEDBYCONTRACT.
ThisdocumentisbeingprovidedtoyoupursuanttotheprovisionsofyourapplicablesoftwarelicenseagreementwithAruba,andtheinformationandprogramsmaybeusedonlypursuanttothetermsandconditionsofsuchagreement.
ThisArubaSecurityAdvisorconstitutesArubaProprietaryInformationandshouldnotbedisseminated,forwardedordisclosed.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SummaryOnJune29,2011thedefaultSSL/TLScertificate"securelogin.
arubanetworks.
com"thatisinstalledonallArubacontrollerswillexpire.
Whilethisdefaultcertificatewasneverintendedforproductionuse,Arubaisawarethatanumberofcustomersareusingthiscertificateinproductionnetworks.
Thesecustomerswillneedtoreplacethecertificate.
Affectedcustomershavetwooptions:1.
Replacethedefaultcertificatewithacertificateissuedbyaninternalcertificateauthorityorapubliccertificateauthority.
Thisoptionisrecommendedandprovidesthegreatestsecurity.
2.
UpgradetheArubaOSimagetoaversionnumberequaltoorgreaterthan3.
3.
3.
10,3.
4.
4.
2,5.
0.
3.
2,6.
0.
1.
1,or6.
1.
0.
0.
Thesesoftwareimagescontainanewdefaultcertificatethatwillreplacetheexpiringcertificate.
Thisoptiondoesnotprovidegoodsecurity,sinceallArubacustomershaveaccesstothesamecertificateandimpersonationattacksarepossible.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
BackgroundTheArubaOSoperatingsystemloadedonallArubaMobilityControllerscontainsapre-loadeddigitalcertificatewiththename"securelogin.
arubanetworks.
com".
Thiscertificatewasissuedbyapubliccertificateauthority(CA)thatistrustedbymostbrowsersandoperatingsystems.
Bydefaultthecertificateisusedforthecontroller'smanagementinterface(WebUI),captiveportal,andEAPtermination.
Thiscertificateisintendedforquicklysettinguplabnetworks,demonstrations,andproof-of-conceptdeployments.
Asstatedintheuserguide,thedefaultcertificateisnotintendedforproductiondeployment,sinceeveryArubacontrollercontainsthesamecertificateandthisenablesimpersonationattacks.
Thefollowingtextsummarizestherisks:CaptivePortal:Anattackerimpersonatingacaptiveportalloginscreenmaybeabletoobtaintheusernameandpasswordofauthorizedusersonthesystem.
Ifcaptiveportalisusedonlyforguestaccess,thismaynotbedeemedaserioussecurityrisk.
Ifcaptiveportalisusedtoauthenticateinternalusers,thisattackcouldcausemoreseriousdamage.
AdministrativeWebUI:Tocarryoutanimpersonationattackagainstthecontroller'sadministrativeWebUI,theattackerwouldneedtointercepttrafficbetweenasystemadministrator'scomputerandthecontroller.
Thiswouldtypicallyrequireaninsiderattack,assumingadministrativeaccessisblockedfrompublicnetworks.
Theriskisseriousinthiscase,sinceasuccessfulattackwouldallowanunauthorizedpersontoobtainadministrativecredentialsfortheArubacontroller.
TheWebUIcertificateshouldalwaysbereplaced,evenifwithaself-signedcertificatethateachsystemadministratormustexplicitlytrust.
802.
1XEAPTermination:Thisistheriskiestuseofthedefaultcertificate,becauseanimpersonationattackmaybecarriedoutoverawirelessnetwork,andasuccessfulattackmayrevealusernamesandpasswordhashes(providingmaterialforanofflinepasswordcrackingattempt)orallowtheattackertogetauserconnectedtoahostilenetworkwhiletheuserthinksheorsheisconnectedtoatrustednetwork.
Thedefaultcertificateshouldneverbeusedfor802.
1X.
Arubaisawarethatsomecustomersdousethedefaultcertificateinproduction,typicallyforsecuringthecaptiveportalloginscreeninguestnetworkswhereensuringtheidentityofthecontrollerisnotanimportantsecurityconsideration.
Thedefaultcertificatewasvalidforfiveyears,andwillexpireonJune29,2011.
Ifthenetworkadministratordoesnotreplacethecertificate,thefollowingwilloccur:1.
UsersconnectingtocaptiveportalorWebUIpageswillreceiveabrowserwarningshowingthattheservercertificatehasexpired.
Usersmaybypassthewarning(withvaryingdegreesofdifficultydependingonthebrowser)andcontinueontousethesystemnormally.
2.
IfEAPterminationhasbeenenabledfor802.
1X,andthedefaultcertificateisbeingusedastheservercertificate,manyclientoperatingsystemswillrefusetocontinuetheauthenticationprocess.
Thiswillresultinanapparentnetworkoutagefortheseusers.
Clientoperatingsystemsmayormaynotdisplayawarningmessagetotheuser.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Thisdocumentoutlinestheproceduresneededtoupdatethedefaultcertificate,inorderofpreference:Option1:InstallauniqueservercertificateOption2:UpgradeArubaOS2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option1:InstallaUniqueServerCertificateThisistherecommendedapproachsinceitprovidesthebestsecurity.
Inthisapproach,thedefaultcertificatewillremainonthecontroller,butyouwillloadoneormorenewcertificatesandthenconfigurethesystemtousethenewcertificate(s).
Ifyourorganizationoperatesaninternalcertificateauthority(CA)andallclientsthatwillusethesystemalreadytrusttheinternalCA,youmayusetheinternalCAtoissueanewcertificatetothecontroller.
Thisoptionisrecommendedfor802.
1XEAPterminationandWebUIadministrativeaccesstothecontroller.
Itcanalsobeusedforcaptiveportalaslongasthegeneralpublicwillnotbeaccessingthesystem(sincetheinternalCAwillnotbetrusted,thegeneralpublicwouldreceivebrowserwarnings.
)Ifpresentingacaptiveportalpagetocomputersownedbythegeneralpublic,acertificateissuedbyapublicCA(VeriSign,GeoTrust,Comodo,etc.
)shouldbeusedsothatbrowserwarningsarenotgenerated.
YoumaychoosetouseacertificateissuedbyapublicCAforWebUIadministrativeaccesstothecontrollerandfor802.
1XEAPterminationaswell,butuseofapublicCAinsteadofaninternalCAprovidesnobenefitinthosecases.
Beforerequestingacertificate,decidewhetheryouneeda1024-bitkey,2048-bitkey,or4096-bitkey.
NotethatmanypublicCAsnolongerissuecertificateswith1024-bitkeys.
IfyouarerunningArubaOS6.
1orgreater,youmayuseacertificatewitha2048-bitkeyforanypurpose.
Youmayuseacertificatewitha4096-bitkeyonlyforcaptiveportalandWebUI.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Tomaximizecompatibility,alwaysuseRSAunlessyouhaveaspecificreasontouseECC.
Ifyouarerunninganyreleasepriorto6.
1,youmayuseacertificatewitha2048-bitor4096-bitkeyonlyforcaptiveportalandWebUI.
802.
1XEAPterminationsupportsonly1024-bitkeys.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Thefollowinginstructionsshouldbefollowedtoobtainandinstallaservercertificate.
1.
GenerateaCertificateSigningRequest(CSR)fromthecontrollerbynavigatingtoConfigurationManagementCertificatesCSR.
Filloutthenecessaryfields.
Afterclicking"GenerateNew",thecontrollerwillgenerateaprivatekey,whichremainslockedinsidethecontroller,andabase64-encodedCSR.
TheCSRcontainsallthedetailsneededforyourCAtoissuethecertificate.
TheCommonName(CN)fieldshouldcontainthefullURLthatwebbrowserswillnavigatetoinordertoreachthecontroller'sembeddedwebserver.
TakecaretofillouttheCommonNamefieldcorrectlyaccordingtothepurposeofthecertificate:a.
Forcaptiveportal,thesystemwillautomaticallyissueHTTPredirectsandspoofDNSresponsestothecaptiveportalclientsothatthebrowserappearstobeconnectingtothecorrectDNSnamethatmatchesthecertificatecommonname.
Thisistoensurethatbrowserwarningsarenotgenerated.
Ifthecertificateisonlybeingusedforcaptiveportal,thenameintheCNfieldisunimportant–butmakesureitfallswithin2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
yourdomainnamesothatapublicCAwillcorrectlyauthorizeownershipofthecertificate.
b.
ForWebUI,theCNfieldshouldmatchtheaddressyouusetomanagethecontroller.
ThiscanbeanIPaddressoraFullyQualifiedDomainName(FQDN).
c.
For802.
1XEAPTermination,theCNfieldisnotmatchedbytheclientagainstanyotherparameter.
ItissuggestedthatyouchooseaFQDNthatisownedbyyourorganization.
2.
Clickon"ViewCurrent".
Copythebase64textshown,andpastethisintothecertificaterequestwindowprovidedbyyourcertificateauthority.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
3.
Onceyouhaveobtainedthecertificate,navigatetoConfigurationManagementCertificatesUploadanduploadthecertificatetothecontroller.
ThecertificatewillmostlikelybeprovidedtoyouinPEMorDERformat–ifyouarenotsurewhichformatitisin,tryPEMfirstandifanerrormessageresults,tryDER.
APEMformatcertificatewillbebase64-encodedandwillbeginwiththetext"-----BEGINCERTIFICATE-----".
4.
Ifyouwanttousethenewcertificateforcaptiveportal,navigatetoConfigurationManagementGeneralandchangetheCaptivePortalServerCertificate.
IfyouwanttousethenewcertificateforWebUI,configurationisfoundonthesamescreenunder"WebUIManagementAuthenticationMethod".
5.
IfyouwanttousethenewcertificateforEAPTermination,navigatetoConfigurationSecurityAuthenticationL2Authentication802.
1XAuthentication2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
ProfileAdvancedandchangetheservercertificateforallactive802.
1XauthenticationprofilesthatuseEAPTermination.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option2:UpgradeArubaOSArubahasobtainedanewcertificatelabeled"securelogin.
arubanetworks.
com"fromapublicCAthatreplacestheolddefaultcertificate.
ThenewcertificatehasanexpirationdateofNovember21,2013.
ThiscertificateisincludedaspartofthefollowingArubaOSsoftwarereleases:6.
1beginningwithrelease6.
1.
0.
06.
0beginningwithrelease6.
0.
1.
15.
0beginningwithrelease5.
0.
3.
23.
4beginningwithrelease3.
4.
4.
23.
3beginningwithrelease3.
3.
3.
10AllotherArubaOSreleasesdatedlaterthanJune1,2011Afterupgradingtooneoftheabovelistedreleases,nofurtheractionisrequiredtoenablethecertificate.
Ifthesystemwaspreviouslyconfiguredtousethedefaultcertificate,itwillautomaticallyusethenewlyupdatedcertificate.
Whilethisoptionprovidesthesamelevelofsecuritygivenbythepreviousdefaultcertificate,itisnotagoodoptionwhereanysecurityrequirementsexist.
SSL/TLSsecurityisprovidedbythecertificate'sprivatekeybeingkeptsecret.
Ifthecertificate'sprivatekeybecomesknown,itispossibleforanattackertoimpersonateanyserverorwebsiteusingthatcertificatewithouttheknowledgeoftheenduser.
BecausethesamecertificateandprivatekeyareinstalledonallArubacontrollers,anattackerneedonlyreverseengineerasinglesoftwareimagetoobtaintheprivatekey.
Whilethisprocessisnon-trivial,itiscertainlynotbeyondthemeansofaskilledanddeterminedattacker.
ItisalsopossibleforanattackertosimplypurchaseanduseanArubacontrollerforthepurposeofconductinganimpersonationattack.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
FAQQ:WhathappensifIhaveconfigured802.
1Xdevicesinmynetworktoonlytrustthe"securelogin.
arubanetworks.
com"certificate,ortoonlytrusttheEquifaxSecureCertificateAuthorityA:Thesedeviceswillneedtobereconfiguredafterinstallationofanewcertificate.
IftheseareWindowsdevices,UNCHECK"Connecttotheseservers"andUNCHECK"EquifaxSecureCertificateAuthority"intheTrustedRootCertificationAuthorities.
Afterconnectingtothecontrollerwiththenewcertificateinstalled,Windowswillupdatethesesettingsbypromptingtheuser.
Q:IsthecertificatebuiltintotheTPMchipaffectedbythisadvisoryA:No.
AllArubacontrollersthatcontainaTrustedPlatformModule(TPM),includingtheM3,3000series,and600series,containacertificateuniquetothecontrollerthathasbeenprogrammedatthefactory.
Thiscertificateisnotexpiringandisnotaffectedbythisadvisory.
ThiscertificateisusedforMaster-Localauthentication,ControlPlaneSecurity(CPsec),andRAPauthentication.
ItisnotsuitableforuseasanSSLcertificatesinceitwasissuedbyAruba'smanufacturingCA,whichisnottrustedbybrowsers.
Q:WhatcertificateauthoritywasusedtogeneratethenewcertificateWhatchainsdoesitcontain2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
A:ThenewcertificatewasissuedbyPositiveSSL,andultimatelychainsbackuptoUSERTrust,whichisissuedbyAddTrustExternalCARoot.
DevicesconnectingtothenetworkmusthaveUSERTrustinstalledasatrustedrootCAinorderfortheArubafactorydefaultcertificatetobetrusted.
UnderaWindowssystem,thecertificatechainappearsas
- 2011ArubaNetworksInc.相关文档
- cmdmcomodo
- WayBillcomodo
- impactcomodo
- VarParseNumFromStrcomodo
- 丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂comodo
- Europeacomodo
水墨云历史黑名单IDC,斟酌选购
水墨云怎么样?本站黑名单idc,有被删除账号风险,建议转出及数据备份!水墨云ink cloud Service是成立于2017年的商家,自2020起开始从事香港、日本、韩国、美国等地区CN2 GIA线路的虚拟服务器租赁,同时还有台湾、国内nat vps相关业务,也有iplc专线产品,相对来说主打的是大带宽服务器产品。注意:本站黑名单IDC,有被删除账号风险,请尽量避免,如果已经购买建议转出及数据备...
简单测评v5.net的美国cn2云服务器:电信双程cn2+联通AS9929+移动直连
v5.net一直做独立服务器这块儿的,自从推出云服务器(VPS)以来站长一直还没有关注过,在网友的提醒下弄了个6G内存、2核、100G SSD的美国云服务器来写测评,主机测评给大家趟雷,让你知道v5.net的美国云服务器效果怎么样。本次测评数据仅供参考,有兴趣的还是亲自测试吧! 官方网站:https://v5.net/cloud.html 从显示来看CPU是e5-2660(2.2GHz主频),...
JustHost:俄罗斯/新西伯利亚vps,512MB内存/5GB空间/不限流量/200Mbps/KVM/自由更换IP,$1.57/月
justhost怎么样?justhost是一家俄罗斯主机商,2006年成立,提供各种主机服务,vps基于kvm,有HDD和SSD硬盘两种,特色是200Mbps不限流量(之前是100Mbps,现在升级为200Mbps)。下面是HDD硬盘的KVM VPS,性价比最高,此外还有SSD硬盘的KVM VPS,价格略高。支持Paypal付款。国内建议选择新西伯利亚或者莫斯科DataLine。支持Paypal付...
comodo为你推荐
-
域名价格域名怎么评估价钱?美国主机空间美国主机空间不限制内容吗中国互联网域名注册中国互联网域名注册怎么操作免费云主机免费云主机哪家好?vps主机云主机和VPS主机之间有什么区别英文域名求好听的个性英语域名?查询ip怎样查别人的ip地址?虚拟空间哪个好虚拟主机哪家的最好?网站空间免备案免备案网站空间哪个好重庆网站空间重庆建网站选择哪家比较好,还有域名空间等,