2011ArubaNetworksInc.
comodo 时间:2021-01-12 阅读:()
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SupportAdvisory:ArubaOSDefaultCertificateExpirationIssuedFebruary14,2011UpdatedApril8,2011Thisdocument,includingtheinformationitcontainsandtheprogramsmadeavailablethroughthelinksthatitincludes,isprovidedtoyouonan"asis"basis.
ARUBAANDITSSUPPLIERSDONOTWARRANTTHATSUCHINFORMATIONORTHEFUNCTIONSCONTAINEDINSUCHPROGRAMSWILLMEETYOURREQUIREMENTSORTHATTHEOPERATIONOFTHEPROGRAMSWILLBEUNINTERRUPTEDORERROR-FREE.
THEINFORMATIONANDPROGRAMSAREPROVIDEDTOYOUWITHNOWARRANTYOFANYKIND,EXPRESSORIMPLIED,INCLUDINGWITHOUTLIMITATION,ANYIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENT.
INNOEVENTWILLARUBA,ITSSUPPLIERS,ORANYONEELSEWHOHASBEENINVOLVEDINTHECREATION,PRODUCTION,ORDELIVERYOFTHEINFORMATIONORPROGRAMSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTALORCONSEQUENTIALDAMAGES,INCLUDINGWITHOUTLIMITATION,LOSTPROFITSORLOSTDATA,THATMAYARISEOUTOFYOURUSEOFORFAILURETOUSETHEINFORMATIONORPROGRAMS,EVENIFARUBAORSUCHOTHERENTITIESHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
THEFOREGOINGSHALLNOTBEDEEMEDTOPRECLUDEANYLIABILITYWHICH,UNDERAPPLICABLEPRODUCTSLIABILITYLAW,CANNOTBEPRECLUDEDBYCONTRACT.
ThisdocumentisbeingprovidedtoyoupursuanttotheprovisionsofyourapplicablesoftwarelicenseagreementwithAruba,andtheinformationandprogramsmaybeusedonlypursuanttothetermsandconditionsofsuchagreement.
ThisArubaSecurityAdvisorconstitutesArubaProprietaryInformationandshouldnotbedisseminated,forwardedordisclosed.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SummaryOnJune29,2011thedefaultSSL/TLScertificate"securelogin.
arubanetworks.
com"thatisinstalledonallArubacontrollerswillexpire.
Whilethisdefaultcertificatewasneverintendedforproductionuse,Arubaisawarethatanumberofcustomersareusingthiscertificateinproductionnetworks.
Thesecustomerswillneedtoreplacethecertificate.
Affectedcustomershavetwooptions:1.
Replacethedefaultcertificatewithacertificateissuedbyaninternalcertificateauthorityorapubliccertificateauthority.
Thisoptionisrecommendedandprovidesthegreatestsecurity.
2.
UpgradetheArubaOSimagetoaversionnumberequaltoorgreaterthan3.
3.
3.
10,3.
4.
4.
2,5.
0.
3.
2,6.
0.
1.
1,or6.
1.
0.
0.
Thesesoftwareimagescontainanewdefaultcertificatethatwillreplacetheexpiringcertificate.
Thisoptiondoesnotprovidegoodsecurity,sinceallArubacustomershaveaccesstothesamecertificateandimpersonationattacksarepossible.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
BackgroundTheArubaOSoperatingsystemloadedonallArubaMobilityControllerscontainsapre-loadeddigitalcertificatewiththename"securelogin.
arubanetworks.
com".
Thiscertificatewasissuedbyapubliccertificateauthority(CA)thatistrustedbymostbrowsersandoperatingsystems.
Bydefaultthecertificateisusedforthecontroller'smanagementinterface(WebUI),captiveportal,andEAPtermination.
Thiscertificateisintendedforquicklysettinguplabnetworks,demonstrations,andproof-of-conceptdeployments.
Asstatedintheuserguide,thedefaultcertificateisnotintendedforproductiondeployment,sinceeveryArubacontrollercontainsthesamecertificateandthisenablesimpersonationattacks.
Thefollowingtextsummarizestherisks:CaptivePortal:Anattackerimpersonatingacaptiveportalloginscreenmaybeabletoobtaintheusernameandpasswordofauthorizedusersonthesystem.
Ifcaptiveportalisusedonlyforguestaccess,thismaynotbedeemedaserioussecurityrisk.
Ifcaptiveportalisusedtoauthenticateinternalusers,thisattackcouldcausemoreseriousdamage.
AdministrativeWebUI:Tocarryoutanimpersonationattackagainstthecontroller'sadministrativeWebUI,theattackerwouldneedtointercepttrafficbetweenasystemadministrator'scomputerandthecontroller.
Thiswouldtypicallyrequireaninsiderattack,assumingadministrativeaccessisblockedfrompublicnetworks.
Theriskisseriousinthiscase,sinceasuccessfulattackwouldallowanunauthorizedpersontoobtainadministrativecredentialsfortheArubacontroller.
TheWebUIcertificateshouldalwaysbereplaced,evenifwithaself-signedcertificatethateachsystemadministratormustexplicitlytrust.
802.
1XEAPTermination:Thisistheriskiestuseofthedefaultcertificate,becauseanimpersonationattackmaybecarriedoutoverawirelessnetwork,andasuccessfulattackmayrevealusernamesandpasswordhashes(providingmaterialforanofflinepasswordcrackingattempt)orallowtheattackertogetauserconnectedtoahostilenetworkwhiletheuserthinksheorsheisconnectedtoatrustednetwork.
Thedefaultcertificateshouldneverbeusedfor802.
1X.
Arubaisawarethatsomecustomersdousethedefaultcertificateinproduction,typicallyforsecuringthecaptiveportalloginscreeninguestnetworkswhereensuringtheidentityofthecontrollerisnotanimportantsecurityconsideration.
Thedefaultcertificatewasvalidforfiveyears,andwillexpireonJune29,2011.
Ifthenetworkadministratordoesnotreplacethecertificate,thefollowingwilloccur:1.
UsersconnectingtocaptiveportalorWebUIpageswillreceiveabrowserwarningshowingthattheservercertificatehasexpired.
Usersmaybypassthewarning(withvaryingdegreesofdifficultydependingonthebrowser)andcontinueontousethesystemnormally.
2.
IfEAPterminationhasbeenenabledfor802.
1X,andthedefaultcertificateisbeingusedastheservercertificate,manyclientoperatingsystemswillrefusetocontinuetheauthenticationprocess.
Thiswillresultinanapparentnetworkoutagefortheseusers.
Clientoperatingsystemsmayormaynotdisplayawarningmessagetotheuser.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Thisdocumentoutlinestheproceduresneededtoupdatethedefaultcertificate,inorderofpreference:Option1:InstallauniqueservercertificateOption2:UpgradeArubaOS2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option1:InstallaUniqueServerCertificateThisistherecommendedapproachsinceitprovidesthebestsecurity.
Inthisapproach,thedefaultcertificatewillremainonthecontroller,butyouwillloadoneormorenewcertificatesandthenconfigurethesystemtousethenewcertificate(s).
Ifyourorganizationoperatesaninternalcertificateauthority(CA)andallclientsthatwillusethesystemalreadytrusttheinternalCA,youmayusetheinternalCAtoissueanewcertificatetothecontroller.
Thisoptionisrecommendedfor802.
1XEAPterminationandWebUIadministrativeaccesstothecontroller.
Itcanalsobeusedforcaptiveportalaslongasthegeneralpublicwillnotbeaccessingthesystem(sincetheinternalCAwillnotbetrusted,thegeneralpublicwouldreceivebrowserwarnings.
)Ifpresentingacaptiveportalpagetocomputersownedbythegeneralpublic,acertificateissuedbyapublicCA(VeriSign,GeoTrust,Comodo,etc.
)shouldbeusedsothatbrowserwarningsarenotgenerated.
YoumaychoosetouseacertificateissuedbyapublicCAforWebUIadministrativeaccesstothecontrollerandfor802.
1XEAPterminationaswell,butuseofapublicCAinsteadofaninternalCAprovidesnobenefitinthosecases.
Beforerequestingacertificate,decidewhetheryouneeda1024-bitkey,2048-bitkey,or4096-bitkey.
NotethatmanypublicCAsnolongerissuecertificateswith1024-bitkeys.
IfyouarerunningArubaOS6.
1orgreater,youmayuseacertificatewitha2048-bitkeyforanypurpose.
Youmayuseacertificatewitha4096-bitkeyonlyforcaptiveportalandWebUI.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Tomaximizecompatibility,alwaysuseRSAunlessyouhaveaspecificreasontouseECC.
Ifyouarerunninganyreleasepriorto6.
1,youmayuseacertificatewitha2048-bitor4096-bitkeyonlyforcaptiveportalandWebUI.
802.
1XEAPterminationsupportsonly1024-bitkeys.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Thefollowinginstructionsshouldbefollowedtoobtainandinstallaservercertificate.
1.
GenerateaCertificateSigningRequest(CSR)fromthecontrollerbynavigatingtoConfigurationManagementCertificatesCSR.
Filloutthenecessaryfields.
Afterclicking"GenerateNew",thecontrollerwillgenerateaprivatekey,whichremainslockedinsidethecontroller,andabase64-encodedCSR.
TheCSRcontainsallthedetailsneededforyourCAtoissuethecertificate.
TheCommonName(CN)fieldshouldcontainthefullURLthatwebbrowserswillnavigatetoinordertoreachthecontroller'sembeddedwebserver.
TakecaretofillouttheCommonNamefieldcorrectlyaccordingtothepurposeofthecertificate:a.
Forcaptiveportal,thesystemwillautomaticallyissueHTTPredirectsandspoofDNSresponsestothecaptiveportalclientsothatthebrowserappearstobeconnectingtothecorrectDNSnamethatmatchesthecertificatecommonname.
Thisistoensurethatbrowserwarningsarenotgenerated.
Ifthecertificateisonlybeingusedforcaptiveportal,thenameintheCNfieldisunimportant–butmakesureitfallswithin2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
yourdomainnamesothatapublicCAwillcorrectlyauthorizeownershipofthecertificate.
b.
ForWebUI,theCNfieldshouldmatchtheaddressyouusetomanagethecontroller.
ThiscanbeanIPaddressoraFullyQualifiedDomainName(FQDN).
c.
For802.
1XEAPTermination,theCNfieldisnotmatchedbytheclientagainstanyotherparameter.
ItissuggestedthatyouchooseaFQDNthatisownedbyyourorganization.
2.
Clickon"ViewCurrent".
Copythebase64textshown,andpastethisintothecertificaterequestwindowprovidedbyyourcertificateauthority.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
3.
Onceyouhaveobtainedthecertificate,navigatetoConfigurationManagementCertificatesUploadanduploadthecertificatetothecontroller.
ThecertificatewillmostlikelybeprovidedtoyouinPEMorDERformat–ifyouarenotsurewhichformatitisin,tryPEMfirstandifanerrormessageresults,tryDER.
APEMformatcertificatewillbebase64-encodedandwillbeginwiththetext"-----BEGINCERTIFICATE-----".
4.
Ifyouwanttousethenewcertificateforcaptiveportal,navigatetoConfigurationManagementGeneralandchangetheCaptivePortalServerCertificate.
IfyouwanttousethenewcertificateforWebUI,configurationisfoundonthesamescreenunder"WebUIManagementAuthenticationMethod".
5.
IfyouwanttousethenewcertificateforEAPTermination,navigatetoConfigurationSecurityAuthenticationL2Authentication802.
1XAuthentication2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
ProfileAdvancedandchangetheservercertificateforallactive802.
1XauthenticationprofilesthatuseEAPTermination.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option2:UpgradeArubaOSArubahasobtainedanewcertificatelabeled"securelogin.
arubanetworks.
com"fromapublicCAthatreplacestheolddefaultcertificate.
ThenewcertificatehasanexpirationdateofNovember21,2013.
ThiscertificateisincludedaspartofthefollowingArubaOSsoftwarereleases:6.
1beginningwithrelease6.
1.
0.
06.
0beginningwithrelease6.
0.
1.
15.
0beginningwithrelease5.
0.
3.
23.
4beginningwithrelease3.
4.
4.
23.
3beginningwithrelease3.
3.
3.
10AllotherArubaOSreleasesdatedlaterthanJune1,2011Afterupgradingtooneoftheabovelistedreleases,nofurtheractionisrequiredtoenablethecertificate.
Ifthesystemwaspreviouslyconfiguredtousethedefaultcertificate,itwillautomaticallyusethenewlyupdatedcertificate.
Whilethisoptionprovidesthesamelevelofsecuritygivenbythepreviousdefaultcertificate,itisnotagoodoptionwhereanysecurityrequirementsexist.
SSL/TLSsecurityisprovidedbythecertificate'sprivatekeybeingkeptsecret.
Ifthecertificate'sprivatekeybecomesknown,itispossibleforanattackertoimpersonateanyserverorwebsiteusingthatcertificatewithouttheknowledgeoftheenduser.
BecausethesamecertificateandprivatekeyareinstalledonallArubacontrollers,anattackerneedonlyreverseengineerasinglesoftwareimagetoobtaintheprivatekey.
Whilethisprocessisnon-trivial,itiscertainlynotbeyondthemeansofaskilledanddeterminedattacker.
ItisalsopossibleforanattackertosimplypurchaseanduseanArubacontrollerforthepurposeofconductinganimpersonationattack.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
FAQQ:WhathappensifIhaveconfigured802.
1Xdevicesinmynetworktoonlytrustthe"securelogin.
arubanetworks.
com"certificate,ortoonlytrusttheEquifaxSecureCertificateAuthorityA:Thesedeviceswillneedtobereconfiguredafterinstallationofanewcertificate.
IftheseareWindowsdevices,UNCHECK"Connecttotheseservers"andUNCHECK"EquifaxSecureCertificateAuthority"intheTrustedRootCertificationAuthorities.
Afterconnectingtothecontrollerwiththenewcertificateinstalled,Windowswillupdatethesesettingsbypromptingtheuser.
Q:IsthecertificatebuiltintotheTPMchipaffectedbythisadvisoryA:No.
AllArubacontrollersthatcontainaTrustedPlatformModule(TPM),includingtheM3,3000series,and600series,containacertificateuniquetothecontrollerthathasbeenprogrammedatthefactory.
Thiscertificateisnotexpiringandisnotaffectedbythisadvisory.
ThiscertificateisusedforMaster-Localauthentication,ControlPlaneSecurity(CPsec),andRAPauthentication.
ItisnotsuitableforuseasanSSLcertificatesinceitwasissuedbyAruba'smanufacturingCA,whichisnottrustedbybrowsers.
Q:WhatcertificateauthoritywasusedtogeneratethenewcertificateWhatchainsdoesitcontain2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
A:ThenewcertificatewasissuedbyPositiveSSL,andultimatelychainsbackuptoUSERTrust,whichisissuedbyAddTrustExternalCARoot.
DevicesconnectingtothenetworkmusthaveUSERTrustinstalledasatrustedrootCAinorderfortheArubafactorydefaultcertificatetobetrusted.
UnderaWindowssystem,thecertificatechainappearsas
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SupportAdvisory:ArubaOSDefaultCertificateExpirationIssuedFebruary14,2011UpdatedApril8,2011Thisdocument,includingtheinformationitcontainsandtheprogramsmadeavailablethroughthelinksthatitincludes,isprovidedtoyouonan"asis"basis.
ARUBAANDITSSUPPLIERSDONOTWARRANTTHATSUCHINFORMATIONORTHEFUNCTIONSCONTAINEDINSUCHPROGRAMSWILLMEETYOURREQUIREMENTSORTHATTHEOPERATIONOFTHEPROGRAMSWILLBEUNINTERRUPTEDORERROR-FREE.
THEINFORMATIONANDPROGRAMSAREPROVIDEDTOYOUWITHNOWARRANTYOFANYKIND,EXPRESSORIMPLIED,INCLUDINGWITHOUTLIMITATION,ANYIMPLIEDWARRANTIESOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENT.
INNOEVENTWILLARUBA,ITSSUPPLIERS,ORANYONEELSEWHOHASBEENINVOLVEDINTHECREATION,PRODUCTION,ORDELIVERYOFTHEINFORMATIONORPROGRAMSBELIABLEFORANYDIRECT,INDIRECT,INCIDENTALORCONSEQUENTIALDAMAGES,INCLUDINGWITHOUTLIMITATION,LOSTPROFITSORLOSTDATA,THATMAYARISEOUTOFYOURUSEOFORFAILURETOUSETHEINFORMATIONORPROGRAMS,EVENIFARUBAORSUCHOTHERENTITIESHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.
THEFOREGOINGSHALLNOTBEDEEMEDTOPRECLUDEANYLIABILITYWHICH,UNDERAPPLICABLEPRODUCTSLIABILITYLAW,CANNOTBEPRECLUDEDBYCONTRACT.
ThisdocumentisbeingprovidedtoyoupursuanttotheprovisionsofyourapplicablesoftwarelicenseagreementwithAruba,andtheinformationandprogramsmaybeusedonlypursuanttothetermsandconditionsofsuchagreement.
ThisArubaSecurityAdvisorconstitutesArubaProprietaryInformationandshouldnotbedisseminated,forwardedordisclosed.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
SummaryOnJune29,2011thedefaultSSL/TLScertificate"securelogin.
arubanetworks.
com"thatisinstalledonallArubacontrollerswillexpire.
Whilethisdefaultcertificatewasneverintendedforproductionuse,Arubaisawarethatanumberofcustomersareusingthiscertificateinproductionnetworks.
Thesecustomerswillneedtoreplacethecertificate.
Affectedcustomershavetwooptions:1.
Replacethedefaultcertificatewithacertificateissuedbyaninternalcertificateauthorityorapubliccertificateauthority.
Thisoptionisrecommendedandprovidesthegreatestsecurity.
2.
UpgradetheArubaOSimagetoaversionnumberequaltoorgreaterthan3.
3.
3.
10,3.
4.
4.
2,5.
0.
3.
2,6.
0.
1.
1,or6.
1.
0.
0.
Thesesoftwareimagescontainanewdefaultcertificatethatwillreplacetheexpiringcertificate.
Thisoptiondoesnotprovidegoodsecurity,sinceallArubacustomershaveaccesstothesamecertificateandimpersonationattacksarepossible.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
BackgroundTheArubaOSoperatingsystemloadedonallArubaMobilityControllerscontainsapre-loadeddigitalcertificatewiththename"securelogin.
arubanetworks.
com".
Thiscertificatewasissuedbyapubliccertificateauthority(CA)thatistrustedbymostbrowsersandoperatingsystems.
Bydefaultthecertificateisusedforthecontroller'smanagementinterface(WebUI),captiveportal,andEAPtermination.
Thiscertificateisintendedforquicklysettinguplabnetworks,demonstrations,andproof-of-conceptdeployments.
Asstatedintheuserguide,thedefaultcertificateisnotintendedforproductiondeployment,sinceeveryArubacontrollercontainsthesamecertificateandthisenablesimpersonationattacks.
Thefollowingtextsummarizestherisks:CaptivePortal:Anattackerimpersonatingacaptiveportalloginscreenmaybeabletoobtaintheusernameandpasswordofauthorizedusersonthesystem.
Ifcaptiveportalisusedonlyforguestaccess,thismaynotbedeemedaserioussecurityrisk.
Ifcaptiveportalisusedtoauthenticateinternalusers,thisattackcouldcausemoreseriousdamage.
AdministrativeWebUI:Tocarryoutanimpersonationattackagainstthecontroller'sadministrativeWebUI,theattackerwouldneedtointercepttrafficbetweenasystemadministrator'scomputerandthecontroller.
Thiswouldtypicallyrequireaninsiderattack,assumingadministrativeaccessisblockedfrompublicnetworks.
Theriskisseriousinthiscase,sinceasuccessfulattackwouldallowanunauthorizedpersontoobtainadministrativecredentialsfortheArubacontroller.
TheWebUIcertificateshouldalwaysbereplaced,evenifwithaself-signedcertificatethateachsystemadministratormustexplicitlytrust.
802.
1XEAPTermination:Thisistheriskiestuseofthedefaultcertificate,becauseanimpersonationattackmaybecarriedoutoverawirelessnetwork,andasuccessfulattackmayrevealusernamesandpasswordhashes(providingmaterialforanofflinepasswordcrackingattempt)orallowtheattackertogetauserconnectedtoahostilenetworkwhiletheuserthinksheorsheisconnectedtoatrustednetwork.
Thedefaultcertificateshouldneverbeusedfor802.
1X.
Arubaisawarethatsomecustomersdousethedefaultcertificateinproduction,typicallyforsecuringthecaptiveportalloginscreeninguestnetworkswhereensuringtheidentityofthecontrollerisnotanimportantsecurityconsideration.
Thedefaultcertificatewasvalidforfiveyears,andwillexpireonJune29,2011.
Ifthenetworkadministratordoesnotreplacethecertificate,thefollowingwilloccur:1.
UsersconnectingtocaptiveportalorWebUIpageswillreceiveabrowserwarningshowingthattheservercertificatehasexpired.
Usersmaybypassthewarning(withvaryingdegreesofdifficultydependingonthebrowser)andcontinueontousethesystemnormally.
2.
IfEAPterminationhasbeenenabledfor802.
1X,andthedefaultcertificateisbeingusedastheservercertificate,manyclientoperatingsystemswillrefusetocontinuetheauthenticationprocess.
Thiswillresultinanapparentnetworkoutagefortheseusers.
Clientoperatingsystemsmayormaynotdisplayawarningmessagetotheuser.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Thisdocumentoutlinestheproceduresneededtoupdatethedefaultcertificate,inorderofpreference:Option1:InstallauniqueservercertificateOption2:UpgradeArubaOS2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option1:InstallaUniqueServerCertificateThisistherecommendedapproachsinceitprovidesthebestsecurity.
Inthisapproach,thedefaultcertificatewillremainonthecontroller,butyouwillloadoneormorenewcertificatesandthenconfigurethesystemtousethenewcertificate(s).
Ifyourorganizationoperatesaninternalcertificateauthority(CA)andallclientsthatwillusethesystemalreadytrusttheinternalCA,youmayusetheinternalCAtoissueanewcertificatetothecontroller.
Thisoptionisrecommendedfor802.
1XEAPterminationandWebUIadministrativeaccesstothecontroller.
Itcanalsobeusedforcaptiveportalaslongasthegeneralpublicwillnotbeaccessingthesystem(sincetheinternalCAwillnotbetrusted,thegeneralpublicwouldreceivebrowserwarnings.
)Ifpresentingacaptiveportalpagetocomputersownedbythegeneralpublic,acertificateissuedbyapublicCA(VeriSign,GeoTrust,Comodo,etc.
)shouldbeusedsothatbrowserwarningsarenotgenerated.
YoumaychoosetouseacertificateissuedbyapublicCAforWebUIadministrativeaccesstothecontrollerandfor802.
1XEAPterminationaswell,butuseofapublicCAinsteadofaninternalCAprovidesnobenefitinthosecases.
Beforerequestingacertificate,decidewhetheryouneeda1024-bitkey,2048-bitkey,or4096-bitkey.
NotethatmanypublicCAsnolongerissuecertificateswith1024-bitkeys.
IfyouarerunningArubaOS6.
1orgreater,youmayuseacertificatewitha2048-bitkeyforanypurpose.
Youmayuseacertificatewitha4096-bitkeyonlyforcaptiveportalandWebUI.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Tomaximizecompatibility,alwaysuseRSAunlessyouhaveaspecificreasontouseECC.
Ifyouarerunninganyreleasepriorto6.
1,youmayuseacertificatewitha2048-bitor4096-bitkeyonlyforcaptiveportalandWebUI.
802.
1XEAPterminationsupportsonly1024-bitkeys.
ForWebUIorcaptiveportal,performanceisthegreatestwithsmallerkeysizes,butsecurityisslightlyreduced.
Thefollowinginstructionsshouldbefollowedtoobtainandinstallaservercertificate.
1.
GenerateaCertificateSigningRequest(CSR)fromthecontrollerbynavigatingtoConfigurationManagementCertificatesCSR.
Filloutthenecessaryfields.
Afterclicking"GenerateNew",thecontrollerwillgenerateaprivatekey,whichremainslockedinsidethecontroller,andabase64-encodedCSR.
TheCSRcontainsallthedetailsneededforyourCAtoissuethecertificate.
TheCommonName(CN)fieldshouldcontainthefullURLthatwebbrowserswillnavigatetoinordertoreachthecontroller'sembeddedwebserver.
TakecaretofillouttheCommonNamefieldcorrectlyaccordingtothepurposeofthecertificate:a.
Forcaptiveportal,thesystemwillautomaticallyissueHTTPredirectsandspoofDNSresponsestothecaptiveportalclientsothatthebrowserappearstobeconnectingtothecorrectDNSnamethatmatchesthecertificatecommonname.
Thisistoensurethatbrowserwarningsarenotgenerated.
Ifthecertificateisonlybeingusedforcaptiveportal,thenameintheCNfieldisunimportant–butmakesureitfallswithin2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
yourdomainnamesothatapublicCAwillcorrectlyauthorizeownershipofthecertificate.
b.
ForWebUI,theCNfieldshouldmatchtheaddressyouusetomanagethecontroller.
ThiscanbeanIPaddressoraFullyQualifiedDomainName(FQDN).
c.
For802.
1XEAPTermination,theCNfieldisnotmatchedbytheclientagainstanyotherparameter.
ItissuggestedthatyouchooseaFQDNthatisownedbyyourorganization.
2.
Clickon"ViewCurrent".
Copythebase64textshown,andpastethisintothecertificaterequestwindowprovidedbyyourcertificateauthority.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
3.
Onceyouhaveobtainedthecertificate,navigatetoConfigurationManagementCertificatesUploadanduploadthecertificatetothecontroller.
ThecertificatewillmostlikelybeprovidedtoyouinPEMorDERformat–ifyouarenotsurewhichformatitisin,tryPEMfirstandifanerrormessageresults,tryDER.
APEMformatcertificatewillbebase64-encodedandwillbeginwiththetext"-----BEGINCERTIFICATE-----".
4.
Ifyouwanttousethenewcertificateforcaptiveportal,navigatetoConfigurationManagementGeneralandchangetheCaptivePortalServerCertificate.
IfyouwanttousethenewcertificateforWebUI,configurationisfoundonthesamescreenunder"WebUIManagementAuthenticationMethod".
5.
IfyouwanttousethenewcertificateforEAPTermination,navigatetoConfigurationSecurityAuthenticationL2Authentication802.
1XAuthentication2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
ProfileAdvancedandchangetheservercertificateforallactive802.
1XauthenticationprofilesthatuseEAPTermination.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
Option2:UpgradeArubaOSArubahasobtainedanewcertificatelabeled"securelogin.
arubanetworks.
com"fromapublicCAthatreplacestheolddefaultcertificate.
ThenewcertificatehasanexpirationdateofNovember21,2013.
ThiscertificateisincludedaspartofthefollowingArubaOSsoftwarereleases:6.
1beginningwithrelease6.
1.
0.
06.
0beginningwithrelease6.
0.
1.
15.
0beginningwithrelease5.
0.
3.
23.
4beginningwithrelease3.
4.
4.
23.
3beginningwithrelease3.
3.
3.
10AllotherArubaOSreleasesdatedlaterthanJune1,2011Afterupgradingtooneoftheabovelistedreleases,nofurtheractionisrequiredtoenablethecertificate.
Ifthesystemwaspreviouslyconfiguredtousethedefaultcertificate,itwillautomaticallyusethenewlyupdatedcertificate.
Whilethisoptionprovidesthesamelevelofsecuritygivenbythepreviousdefaultcertificate,itisnotagoodoptionwhereanysecurityrequirementsexist.
SSL/TLSsecurityisprovidedbythecertificate'sprivatekeybeingkeptsecret.
Ifthecertificate'sprivatekeybecomesknown,itispossibleforanattackertoimpersonateanyserverorwebsiteusingthatcertificatewithouttheknowledgeoftheenduser.
BecausethesamecertificateandprivatekeyareinstalledonallArubacontrollers,anattackerneedonlyreverseengineerasinglesoftwareimagetoobtaintheprivatekey.
Whilethisprocessisnon-trivial,itiscertainlynotbeyondthemeansofaskilledanddeterminedattacker.
ItisalsopossibleforanattackertosimplypurchaseanduseanArubacontrollerforthepurposeofconductinganimpersonationattack.
2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
FAQQ:WhathappensifIhaveconfigured802.
1Xdevicesinmynetworktoonlytrustthe"securelogin.
arubanetworks.
com"certificate,ortoonlytrusttheEquifaxSecureCertificateAuthorityA:Thesedeviceswillneedtobereconfiguredafterinstallationofanewcertificate.
IftheseareWindowsdevices,UNCHECK"Connecttotheseservers"andUNCHECK"EquifaxSecureCertificateAuthority"intheTrustedRootCertificationAuthorities.
Afterconnectingtothecontrollerwiththenewcertificateinstalled,Windowswillupdatethesesettingsbypromptingtheuser.
Q:IsthecertificatebuiltintotheTPMchipaffectedbythisadvisoryA:No.
AllArubacontrollersthatcontainaTrustedPlatformModule(TPM),includingtheM3,3000series,and600series,containacertificateuniquetothecontrollerthathasbeenprogrammedatthefactory.
Thiscertificateisnotexpiringandisnotaffectedbythisadvisory.
ThiscertificateisusedforMaster-Localauthentication,ControlPlaneSecurity(CPsec),andRAPauthentication.
ItisnotsuitableforuseasanSSLcertificatesinceitwasissuedbyAruba'smanufacturingCA,whichisnottrustedbybrowsers.
Q:WhatcertificateauthoritywasusedtogeneratethenewcertificateWhatchainsdoesitcontain2011ArubaNetworksInc.
FurtherdistributionprohibitedwithoutpriorwrittenconsentfromArubaNetworksInc.
ForArubaCustomers,EmployeesandAuthorizedChannelPartnersOnly.
A:ThenewcertificatewasissuedbyPositiveSSL,andultimatelychainsbackuptoUSERTrust,whichisissuedbyAddTrustExternalCARoot.
DevicesconnectingtothenetworkmusthaveUSERTrustinstalledasatrustedrootCAinorderfortheArubafactorydefaultcertificatetobetrusted.
UnderaWindowssystem,thecertificatechainappearsas
- 2011ArubaNetworksInc.相关文档
- cmdmcomodo
- WayBillcomodo
- impactcomodo
- VarParseNumFromStrcomodo
- 丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂丂comodo
- Europeacomodo
妮妮云80元/月,香港站群云服务器 1核1G
妮妮云的来历妮妮云是 789 陈总 张总 三方共同投资建立的网站 本着“良心 便宜 稳定”的初衷 为小白用户避免被坑妮妮云的市场定位妮妮云主要代理市场稳定速度的云服务器产品,避免新手购买云服务器的时候众多商家不知道如何选择,妮妮云就帮你选择好了产品,无需承担购买风险,不用担心出现被跑路 被诈骗的情况。妮妮云的售后保证妮妮云退款 通过于合作商的友好协商,云服务器提供2天内全额退款,超过2天不退款 物...
丽萨主机122元/每季,原生IP,CN2 GIA网络
萨主机(lisahost)新上了美国cn2 gia国际精品网络 – 精品线路,支持解锁美区Netflix所有资源,HULU, DISNEY, StartZ, HBO MAX,ESPN, Amazon Prime Video等,同时支持Tiktok。套餐原价基础上加价20元可更换23段美国原生ip。支持Tiktok。成功下单后,在线充值相应差价,提交工单更换美国原生IP。!!!注意是加价20换原生I...
美国G口/香港CTG/美国T级超防云/湖北高防云服务器物理机促销活动 六一云
六一云 成立于2018年,归属于西安六一网络科技有限公司,是一家国内正规持有IDC ISP CDN IRCS电信经营许可证书的老牌商家。大陆持证公司受大陆各部门监管不好用支持退款退现,再也不怕被割韭菜了!主要业务有:国内高防云,美国高防云,美国cera大带宽,香港CTG,香港沙田CN2,海外站群服务,物理机,宿母鸡等,另外也诚招代理欢迎咨询。官网www.61cloud.net最新直销劲爆...
comodo为你推荐
-
服务器租赁服务器出租是什么意思,来点简单能看得懂的网络服务器租用现在网站服务器租赁一年多少钱?info域名注册淘宝上有的注册info域名十元左右,是不是真的虚拟主机推荐虚拟主机哪个好asp主机空间asp空间是什么免费虚拟主机申请免费域名和免费虚拟主机申请以及绑定求详解免费vps服务器免费服务器有哪些虚拟空间哪个好虚拟内存设在哪个盘最好asp网站空间ASP空间是什么?便宜虚拟主机麻烦各位给我推荐一个比较便宜的虚拟主机,要质量好的。谢谢大家了