Axians Portal

Home > AP Whitelist Synchronization Failure

AP Whitelist Synchronization Failure

Mar 7, 2018 - Aruba

Aruba Activate Web Services (activate.arubanetworks.com) uses a certificate issued by the GeoTrust root CA. Google and Mozilla are deprecating support for existing certificates issued by any of the Symantec PKI Certificate Authorities which includes GeoTrust.
To ensure uninterrupted services to customers using Activate services, Aruba will be replacing the server certificate with a new one from a trusted Certificate Authority on Wednesday March 7, 2018 between 8:00 PM to 10:00 PM Pacific Standard Time (i.e. 4:00 AM – 6:00 AM Thursday March 8, 2018 UTC).

This will result in communication failure between:

Aruba controller (running any ArubaOS 6.x.x.x version) and Activate cloud-based services that will prevent downloading of Remote AP whitelists from the Activate Server if the controller is configured for Activate Whitelist Synchronization.

ClearPass Policy Manager (running 6.7.1 or lower versions) and Activate cloud-based services, affecting IAP-VPN authentication if Activate is configured as an Endpoint Context Server and Server Certificate Validation is enabled.
Content
PRODUCTS COVERED

Aruba Mobility & Cloud Services Controllers and ClearPass Policy Manager

SUMMARY

This will result in communication failure between:

Aruba controller (running any ArubaOS 6.x.x.x version) and Activate cloud-based services that will prevent downloading of Remote AP whitelists from the Activate Server if the controller is configured for Activate Whitelist Synchronization.

ClearPass Policy Manager (running 6.7.1 or lower versions) and Activate cloud-based services, affecting IAP-VPN authentication if Activate is configured as an Endpoint Context Server and Server Certificate Validation is enabled.

AFFECTED PRODUCTS

Mobility and Cloud Services controllers running:
- ArubaOS 6.3.1.x and earlier versions
- ArubaOS 6.4.3.x versions prior to 6.4.3.12
- ArubaOS 6.4.4.x versions prior to 6.4.4.18
- ArubaOS 6.5.x.x versions prior to 6.5.3.6
- ArubaOS 6.5.4.x versions prior to 6.5.4.6
- ClearPass Policy Managers running 6.7.1 and lower versions

UNAFFECTED PRODUCTS

· Mobility and Cloud Services Controllers running ArubaOS 8.1.0.0 (and later versions)
· Campus and Branch Switches - including Mobility Access Switches
· Aruba Instant
· AirWave
· Aruba Central
· OfficeConnect Access Points

CALL TO ACTION

Aruba Mobility and Cloud Services Controllers
Upgrade the controllers to one of the following ArubaOS software versions, when available.

6.5.3.6 - March 16, 2018

6.5.4.6 - March 16, 2018

6.4.3.12 - March 30, 2018

6.4.4.18 - April 27, 2018

6.3.1.26 - June, 30, 2018

Controllers running ArubaOS 6.5.1.x code are recommended to be upgraded to ArubaOS 6.5.3.6.
Until you upgrade the controller to one of the above ArubaOS patches, the Remote AP and Instant AP Whitelist will fail to download from Aruba Activate. As a workaround you must manually add the IAPs/RAPs to the RAP Whitelist Database to allow these to come online.
To manually add an AP to the whitelist database, follow the instructions below.

In the WebUI

To add an AP to the Whitelist database:
1. Navigate to Configuration > WIRELESS > AP Installation.
2. Click the Whitelist tab.
3. In the Whitelist tab, click Entries >>.
4. In the Number of Entries section, click New.
5. Enter the AP details.
6. Click Add.

In the CLI

To add an AP or IAP to the Remote AP Whitelist Database:
(host)# whitelist-db rap add mac-address <mac-addr> ap-group <ap-group> ap-name <ap-name>

Note: Always review ArubaOS Patch Release Notes for recommendations on upgrade paths and procedures, and perform code upgrade in a maintenance window.

ClearPass Policy Manager
Download the new ‘DigiCert Global Root G2’ – Root CA Certificate and add it to the Certificate Trust List in the ClearPass server. You may download this new Root CA certificate either from the Aruba support site or directly from DigiCert’s portal following the procedures listed below.

Download Procedures

Option A

1. Login to https://support.arubanetworks.com.
2. Click on ‘Download Software’.
3. Click on ‘ClearPass’.
4. Click on ‘Tools’.
5. Click on ‘3rd Party Root Certificates’.
6. Click to download the ‘DigiCert Global Root G2 - Certificate’.

Option B

1. Navigate to https://www.digicert.com/digicert-root-certificates.htm.
2. Scroll down to ‘DigiCert Global Root G2’.
3. Click ‘Download Link’ to the right.
4. If this certificate file is in PEM format then it needs to be converted to a CRT file format.
Using ‘openssl’ issue the following command:
openssl x509 -outform der -in DigiCert Global Root G2.pem -out DigiCert Global Root G2.crt

Configuration Procedures

1. Login to ClearPass admin UI (e.g. https ://<ClearPass-IP>/tips).
2. Click on ‘Administration’ on the left.
3. Click on ‘Certificates’.
4. Click on ‘Trust List’.
5. Click on ‘Add’ in the upper right hand corner.
6. Browse to the location where you stored the new root certificate and hit ‘Add Certificate’.
7. You will see a message at the top of the screen indicated a successful install. If not, contact Aruba Global Support.
8. To verify the certificate is also enabled, type ‘DigiCert’ in the filter and hit ‘Go’.

You will see it listed as ‘CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US’.

This advisory will be posted on the Aruba Support Site under the Announcements section and may be revised as applicable. Kindly ensure to check again for further updates.
Aruba is committed to communicating code revision, feature and function recommendations to ensure optimal network operation and high customer satisfaction. Please feel free to contact Aruba Global Support if you need further clarifications regarding this advisory. The Aruba Global Support team can facilitate further product related discussions with the Product Management team for customers who desire to do so.

Thank you,
Aruba Customer Advocacy