Aruba AOS-S setup
This process prepares an Aruba AOS-S switch for SSL connectivity using a domain CA, and enabling the REST API.
Export CA Certificate
Section titled “Export CA Certificate”First, export the CA public certificate from certmgr:
-
Trusted Root Certification Authority\Certificates\<domain-ca>
→ All Tasks → Export
→ Base-64 encoded X.509 (.CER) -
Name it:
DOMAIN_CA.cer-
Install a TFTP server, for example:
https://github.com/PJO2/tftpd64/releases/download/v4.71/tftpd64_portable_v4.71.zip -
Place
DOMAIN_CA.cerin the TFTP directory
Reset Key Configuration (Optional)
Section titled “Reset Key Configuration (Optional)”If needed:
crypto pki zeroizeConfigure Switch Identity
Section titled “Configure Switch Identity”Give the switch an FQDN:
conf thostname "SwitchName"ip dns domain-name ad.domain.comCreate TA Profile
Section titled “Create TA Profile”Create a ta-profile and import the CA certificate:
crypto pki ta-profile DOMAIN_CAcopy tftp ta-certificate DOMAIN_CA <TFTP-server-IP> DOMAIN_CA.cerVerify installation:
show crypto pki ta-profile DOMAIN_CAThe Profile Status should change from:
pending→certificate installed
Generate CSR
Section titled “Generate CSR”Create a certificate signing request (CSR):
crypto pki create-csr certificate-name ssl-cert ta-profile DOMAIN_CA usage web key-type rsa key-size 2048 subject common-name SwitchName.ad.domain.comCopy the generated Base64-encoded CSR.
Submit CSR to CA
Section titled “Submit CSR to CA”Navigate to:
http://<domain-ca>/certsrv/certrqxt.asp- Paste the CSR into the request box
- In Additional Attributes, add:
san:dns=SwitchName.ad.domain.com&ipaddress=12.34.56.78(use the LAN IP)
- Select:
- Template →
SSL Certificate
- Template →
- Click:
- Submit >
After issuance:
- Select:
- Base 64 encoded
- Click:
- Download certificate
Prepare Certificate
Section titled “Prepare Certificate”- Open
certnew.cerin Notepad - Copy the encoded certificate text to clipboard
Install Signed Certificate
Section titled “Install Signed Certificate”Install the certificate on the switch:
crypto pki install-signed-certificate- Paste the certificate when prompted
- Press
ENTER
Enforce SSL Management
Section titled “Enforce SSL Management”Force web management and REST API over SSL:
no web-management plaintextweb-management sslrest-interfaceEnable RADIUS (Optional)
Section titled “Enable RADIUS (Optional)”To enable RADIUS authentication via the REST API:
aaa authentication rest login radius localaaa authentication rest enable radius localLegacy Firmware Note (16.10.x.x)
Section titled “Legacy Firmware Note (16.10.x.x)”For older firmware (e.g. 2920 series), create a local user matching the service account:
password manager user-name portweaver plaintext <password>