SSH Aruba MM/MD via Public Key Auth

SSH Aruba MM/MD via Public Key Auth

The support of certificate base login to the MM/MD provide a good security capability of the Aruba MM/MDs.

Aruba still don’t support importing the public key directly and thus your SSH public key can only be imported into the Aruba controller using an X509 certificate. Therefore we first need to create a certificate include you public and private key.

I would use openssl to create a public/private key pair and also to generate a final Self-Signed Cert for uploading to the Aruba Controller.

I would use a Window laptop and use putty for ssh.

Installing OpenSSL on Windows Machine:

Thanks to Shining Light Production for providing an installer version of OpenSSL for the Windows Machine:

You can download the Installer (MSI) from their site and its pretty easy to Install.

Once installed modify the environmental variables of you Windows Machine to use it directly from any location.

Using OpenSSL to Generate Private Key and Cert:

Use the following command to generate the Private Key with the specified key length.

Use the following command to generate a Self Signed Cert using private key and add the required inputs as prompted.

OpenSSL Command CheatSheet:

Uploading the Certificate to Aruba Controller:

We need to upload the Certificate to the Aruba Controller as a Public Certificate, browse and upload the Certificate:

Adding Mgmt Account Associated to the Cert:

Create the mgmt account with required access and associate the Certificate to the mgmt-account.

Using Putty to Login to the Controller:

We need to associate the private key on the PC to login to the Controller. However Putty requires the key to be in a specific format else it would give error as follows:

We would download Puttygen to convert the Private key in the format as suited to Putty.

Open Puttygen and use the load option to load the previously created private key. Once loaded Save the private key in the .ppk format using the Save Private Key option, also better to add the keypassphrase during saving.

Now that the Private key is converted to correct format, load the private key again to putty and ssh to the Aruba Controller. Find the following on how/where to load the Private Key in Putty:

We would be prompted to username and the Passphrase that you set during the key import. Enter the username that we created on Aruba Controller and enter the passphrase set during the private key import and you should login fine.

More details on how to setup it up on the Aruba 6.x Architecture:

Happy Reading…..

Aruba DHCP Option 60

Aruba DHCP Option 60 (Vendor Class Identifier)

Almost all vendors implement the DHCP Option 60 RFC(2132) Vendor Class Identifier in their own way. The DHCP Option 60 is a string that the Access Point includes in the DHCP Discovery packet to the DHCP Server.

A DHCP server can be configured to filter on received option 60 string values and forward standard or vendor specific options (Option 43) in DHCP offer and acknowledgement packets.  Filtering using option 60 allows different types of devices that require vendor-specific information to co-exist in a common broadcast domain. (Having Cisco and Aruba AP in the same subnet, the DHCP Server should be configured with DHCP Option 43 and 60 for each Vendor).

If you do not specify an option 60 for some scope, the content of option 43 is returned to any DHCP client asking for an IP address in that subnet. In general we should try to define it in the DHCP scope as it makes sure that option 43 is returned only to APs and not other clients but it also depends upon the type of the DHCP server. For example Cisco IOS based DHCP scopes allow only one option 60 string (VCI) per scope , So you may not want to use it if you have different Vendor APs in the same subnet using IOS based DHCP.There is no such limitation on the Windows Server and hence the correct procedure is to define Option 60 for each Vendor.

The string value that is forwarded to the DHCP server is dependent on the Aruba Access Points mode.

 Aruba Access Points also requires specific option 60 values to be returned in DHCP offer and acknowledgement packets for vendor specific information to be considered. The expected option 60 value being dependent on the mode of the Access Points. If the expected option 60 value is not present in the DHCP offer or acknowledgement packet, any supplied vendor specific information is ignored. 

Vendor Specific Information (Option 43):

Aruba Access Points support vendor-specific information that can be provided in offer and acknowledgement packets. The type of vendor-specific information that is supported by an Aruba Access Point is dependent on the mode. For example Instant mode Access Points can be supplied with HTTP Proxy Server (Option 148) and/or (Option 43) AirWave Server information while Campus mode or Unified Access Points can be supplied Mobility Controller information. 

AirWave Server Discovery For IAP:

HTTP Proxy For IAP:

******Please note that both the username and password are forwarded to Instant mode Access Points in offers and acknowledgements in clear text. ******

The HTTP Proxy option can be used with Instant mode Access Points that are managed by AirWave or Central. When managed by AirWave, the HTTP Proxy option can be combined with the AirWave Server Discovery option. 

Controller Discovery For Campus/Unified AP:

Lets see the DHCP Scope Configuration for IAP and Campus/Unified APs.

Windows DHCP Server Config for Unified/Campus AP:

Windows DHCP Server Config for IAP AirWave:

Windows DHCP Server Config for IAP Http Proxy:

DHCP Server Config On Aruba OS Switch:

DHCP Server Config On Cisco Switch:

Happy Reading…..

SCP Service on Aruba Mobility Controllers

SCP Service on Aruba Mobility Controllers

The Aruba Mobility Controllers support the SCP Server feature, where you can enable SCP Service on the MMs and MDs. This feature helps to transfer files between MM and MDs without any external SCP Server requirement and also helps to transfer files to and from any device running SCP client.

The command to enable/disable the service:

(Test)[MDC] (config)#service scp
(Test)[MDC] (config)#no service scp

This feature however is not a full featured SCP support. Its only supports the native SCP protocol, SFTP/WinSCP protocols are not supported. If you try to connect to it via the WinSCP GUI interface it would not work, however you can use the SCP cli command to upload/download files to the Mobility Controllers.

If you have any SCP client installed on your device, you can use the Command line to download upload the file.

Following example where I am using the command line interface of my windows laptop to download the logs.tar file from the Aruba Controller. Here x.x.x.x is the controller ip, I need to type the root admin password when prompted before the transfer will start.

C:\Users\admin>scp admin@x.x.x.x:logs.tar.7z C:\Users\admin
The authenticity of host ‘x.x.x.x (x.x.x.x)’ can’t be established.
RSA key fingerprint is SHA256:kig0wBq0xYQKZsSi/C1zvTs9eGaDXj920VjuMLxdX38.
Are you sure you want to continue connecting (yes/no)?
Warning: Permanently added ‘x.x.x.x’ (RSA) to the list of known hosts.
admin@x.x.x.x’s password:
logs.tar.7z 100% 19MB 18.8MB/s 00:01

Similarly I can use the CLI command to upload a file to the Aruba Controller. In the following command I am upload a TEST.txt file to the Aruba Mobility Controller with IP x.x.x.x. I would be prompted for the admin password of the Controller.

C:\Users\admin>scp C:\Users\admin\TEST.txt admin@x.x.x.x:
admin@x.x.x.x’s password:
TEST.txt 100% 40 6.5KB/s 00:00

More on this feature:

Happy Reading….