ArubaOS 8.x AP Console Protection

Recent versions of ArubaOS 8.x  have introduced the concept of AP console protection.

 

This includes default enablement of:

  • AP console protection (a password is required to access the CLI)
  • a randomized password (is automatically applied to protect your console)

To see that randomized password:

  • find your AP's Controller

    • on your Mobility Conductor (formerly known as Mobility Master)
      • #cd /mm
      • #show ap database
        • find the AP your interested in, notice it's Group and switch IP
(MM-1) [mm] #show ap database
           
AP Database
-----------
Name  Group    AP Type  IP Address   Status    Flags  Switch IP    Standby IP
----  -----    -------  ----------   ------    -----  ---------    ----------
AP1   default  335      10.1.13.150  Up 9m:0s  2      10.1.13.100  0.0.0.0
      • #logon "your switch IP"
        • notice you just performed a SSO logon to your gateway/controller
    • on your Mobility Controller
      • #show ap-group <your ap-group> | include "AP system profile"
        • notice the profile-name in the output
        • replace" Group" with the group name in the show ap database output
(MC1) [MDC] #show ap-group default | include "system profile"
AP system profile                        default  
      • #encrypt disable
        • allow your passwords to be displayed on your show output
        • "encrypt enable" should automatically be applied after a few minutes
      • #show ap system-profile "profile-name" | include Password
        • notice you AP Console Password in the output
(MC1) [MDC] #show ap system-profile default | include Password
AP Console Password                        4636a15d+|H!~.

Change the AP Console randomized password to "aruba123":

    • on your Mobility Conductor
        • #cd /md
        • #configure terminal
        • #ap system-profile default
        • #ap console-password aruba123
        • write memory
    (MM-1) [mm] #cd /md
    (MM-1) [md] #configure terminal
    Enter Configuration commands, one per line. End with CNTL/Z

    (MM-1) [md] (config) #ap system-profile default
    (MM-1) ^[md] (AP system profile "default") #ap-console-password aruba123
    (MM-1) ^[md] (AP system profile "default") #write memory 

    Disable the AP Console password

          • #cd /md
          • #configure terminal
          • #ap system-profile default
          • #no ap console-protection
          • write memory
      (MM-1) [mm] #cd /md
      (MM-1) [md] #configure terminal
      Enter Configuration commands, one per line. End with CNTL/Z

      (MM-1) [md] (config) #ap system-profile default
      (MM-1) ^[md] (AP system profile "default") #no ap-console-protection
      (MM-1) ^[md] (AP system profile "default") #write memory 

      Comments

      Post a Comment

      Popular posts from this blog

      ClearPass: Using GMail for SMTP

      Image
      Using Google Gmail as your ClearPass Messaging SMTP Server Navigate to https:// Clearpass_IP / Click on the " ClearPass Policy Manager " Login using user/password = admin/eTIPS123   (use your own user/pw of course) Click the Administration Tab on the left window pane Within the Administration tab, expand " + External Servers ", then click " Messaging Setup " Server name =  " smtp.gmail.com " User Name & Password = your valid Gmail account settings Connection Security = " StartTLS " Next, install most of the root certs you can download from this link https://pki.goog/  otherwise you will see errors like this in your event log Send Error: Could not convert socket to TLS Click the Administration Tab on the left window pane Within Administration tab, expand " + Certificates ", then click " Trust List " Top right of your screen, click " + Add " and load the " Root C...
      Read more

      NET::ERR_CERT_INVALID Issues Using AirWave or NetEDIT with Chrome

      Image
      Using Chrome to login to Aruba Airwave or NetEdit with Unsupported Certificate.   Lately Chrome, Opera, Safari, etc... all but Firefox won't allow connection to ArubaNetworks Airwave with it's self-signed cert installed.  I has this issue with Airwave 8.2.11.  This also works with for similar errors on NetEdit 2.04. There is a workaround for Chrome...  while you are stuck with this issue:   NET::ERR_CERT_INVALID Click anywhere on the rendered page with the error, and simply type: thisisunsafe no need to press enter, just type it in, and you can proceed without probems!!! Credit to Hai Zheng of Twitter for this tip !!! If you think I should add or remove any information from this list, please let me know your thoughts.
      Read more