ArubaOS 8.6.0.0Help Center
You are here: Home > Management Access > Certificate Enrollment Using EST > Configuring EST on the Controller

Configuring EST on theController

You can configure multiple EST profiles on aController, with different parameters using theCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.but only one will be activated using a global non-profile command.

This section contains the following topics:

Important Points to Remember

For smooth deployment, EST activation should be done first on the MM and then on the MDs.

应该是常见的在美国东部时间服务器配置ll theControllersdeployed in the enterprise.

Prerequisites

Before configuring EST, ensure you complete the following prerequisites:

1.Import theCACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.or signing authority of EST server'sSSLSecure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.certificate on the Controller. For more information on importing certificates, refer toManaging Certificates.

2.Ensure time synchronization between all the devices involved in EST enrollment. For more information on time synchronization, refer toClock Synchronization.

3.If EST profile contains anFQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet.as the server host, ensure that theDNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.Server and domain name are configured on the enrolling devices. For information on configuring aDNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.Server and aDNSDomain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element.name, refer toConfiguring DHCP Address pool.

4.If the EST server port is different from the default Port 443, ensure the corporatefirewallFirewall is a network security system used for preventing unauthorized access to or from a private network.allows the configured port.

5.Ensure that the server-host configured as part of the EST profile matches the Common Name or SubjectAltName fields of the EST Server’s certificate which is used duringSSLSecure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet.handshake.

6.ForRemote APdeployments, if the IPSEC inner pool address range is not a routable network within the enterprise domain, it is recommended to configure the route source nat rule so that traffic gets srcnat with theController’s IP address to reach the EST server. The route srcnat rule should be only to the EST server as the destination host and respective port number used as part of EST profile parameters. For more information on configuring routesource NATSource NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host., refer to启用远程美联社高级配置选项.

7.WhenClearPass Policy Manageris used as the EST server, the default EST services are enabled with the SHA512RSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.signature which is unsupported on the AP. TheRSARivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet.settings must be changed to either SHA256 or SHA384 in order to enroll EST on both the AP and theControllersuccessfully.

Enhancements to EST Profile

Starting fromArubaOS8.6.0.0, the following EST enhancements can be configured by the user,

•Users can configure the username and password for authentication. These credentials are used during the enrollment process and the server will use these credentials for authenticating the clients.

The Username/password authentication and the challenge-password authentication methods are mutually exclusive. Only one of the authentication methods can be used.CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.and WebUI will throw an error when both of the authentication methods are configured at the same time.

• Users can configure the optional parameter, Organizational Unit Name (OU) in the EST profile. If this field is configured, OU is inserted in theCSRCertificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate.and subsequently becomes part of the enrolled EST certificate.

• Users can configure arbitrary labels for EST enrollment and re-enrollment to perform different EST operations. The arbitrary label will be used forCACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.cert operations. The arbitrary enrollment label and the arbitrary re-enrollment label will be used forCSRCertificate Signing Request. In PKI systems, a CSR is a message sent from an applicant to a CA to apply for a digital identity certificate.Attributes operations. These two labels are optional parameters and if not configured the default arbitrary label will be used for enrollment and re-enrollment of EST server.

• EST client will use the already enrolled certs during re-enrollment.

• Users can change the credentials in an already activated EST profile and use the latest credentials without de-activating and re-activating the EST profile. This enhancement will avoid unnecessary AP reboot while changing the credentials. Only the username, password and challenge-password fields are allowed to change. Any change to the other profile parameters is not allowed.

Configuring an EST Profile

The following procedure describes how to configure a new EST profile.

1.Before configuring an EST profile, you must import the trustedCACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.to theController.

a.In theMobility Masternode hierarchy, navigate to theConfiguration > System > Certificatestab.

b.Click+in theImport Certificatessection.

c.Enter the name of the trustedCACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.in theCertificate nametext box.

d.Enter the certificate filename of the trustedCACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate.in theCertificate filenametext box. Click theBrowsebutton to enter the full pathname.

e.Enter anOptional passphraseand re-type the passphrase.

f.Select a certificate format from theCertificate formatdrop-down list. You can import certificates of format PEM, DER, and PKCS7.

g.SelectTrustedCAfrom the Certificate type drop-down list.

h.ClickSubmit. The certificate appears in theImport Certificatessection.

2.To configure a new EST profile on theControllerusing the WebUI.

a.In theMobility Masternode hierarchy, navigate to theConfiguration > System > Profilestab.

b.In theAll Profilesmenu, expandEST profile > EST.

c.In theEST Profile: New Profile section, click+to create a new profile.

d.Enter a name for the EST profile in theProfile nametext box.

e.Enter the hostname of the EST server in theServer hosttext box.

f.The default Server port is 443. You may choose to enter a different EST server port in the Server port text box.

g.You can optionally enter a password in theChallenge passwordtext box.

h.If you chose to enter a challenge password, retype the password in theRetypetext box.

i.Enter an arbitrary label in theArbitrary labeltext box.

j.Enter the certificate name of the EST server (same as in Step 1c) in theServer's CA cert nametextbox.

k.Enter the Organizational Unit Name in theOrganizational Unit Nametext box.

l.Enter an arbitrary enrolment label in theArbitrary enrolment labeltext box.

m.Enter an arbitrary reenrollment label in theArbitrary reenrollment labeltext box.

n.Enter theUsernameandpasswordfor EST authentication.

o.ClickSubmit. the EST profile appears under theEST Profile > ESTsection of theAll Profilesmenu.

3.To complete EST enrollment on theController, you must activate the EST profile.

a.In theMobility Masternode hierarchy, navigate to theConfiguration > System > Certificatestab.

b.Expand theEnrollment over Secure Transportaccordion.

c.Set the Enable certificate provisioning using EST protocol toggle switch to active.

d.Select the EST profile from theEST serverdrop-down list.

e.ClickSubmit.

The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.commands configure a new EST profile.

(host) [mynode] (config)# est profile

(host) [mynode] (EST Profile )# arbitrary-label

(host) [mynode] (EST Profile )# arbitrary-label-enrollment

(host) [mynode] (EST Profile )# arbitrary-label-reenrollment

(host) [mynode] (EST Profile )# challenge-password

(host) [mynode] (EST Profile )# clone

(host) [mynode] (EST Profile )#organizational-unit-name

(host) [mynode] (EST Profile )# server-host

(host) [mynode] (EST Profile )# server-port

(host) [mynode] (EST Profile )# trustanchor-name

(host) [mynode] (EST Profile )# username

(host) [mynode] (EST Profile )# password

(host) [mynode] (EST Profile )# end

Activate an EST profile using the CLI

The followingCLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.command activates an existing EST profile.

(host) [mynode] (config)# est-activate

/*]]>*/
Baidu