Trustpoints

The HTTPS captive portal connection mode requires Public Key Infrastructure (PKI) to provide privacy and mutual authentication. In WiNG 5 certificates are installed into Trustpoints which can be used by the HTTPS service for securing credential exchanges over a captive portal Wireless LAN and device

management.

By default each WiNG 5 device includes a self-signed certificate which is that installed into a default Trustpoint. As the certificate is self-signed there is no ability for the wireless user’s web-browser or operating system to verify the server certificate used by the HTTPS service. While the default Trustpoint can be used for demonstrations or lab trials, it is recommended that a signed certificate be installed into a new Trustpoint that is assigned to the HTTPS service when the HTTPS captive portal connection mode is enabled. This will greatly enhance the end user experience and reduce support calls.

A signed certificate can be issued from a public or private certificate authority. For guest / visitor access applications it is recommended that the certificates be signed by a certificate authority that the guest / visitors web-browsers or operating systems already trusts. For enterprise applications the certificates can be signed by a private enterprise certificate authority which may be already trusted by the managed devices.

This section provides a step-by-step example of how to generate an RSA keypair and certificate signing request for WiNG 5 devices which can be signed by public or private certificate authority. The signed certificate and CA root certificate can then be installed into a Trustpoint on the WiNG 5 devices and assigned to the HTTPS service. In this example a common RSA keypair and signed certificate will be installed on two RFS 4000 Wireless Controllers and assigned to the HTTPS service using device overrides. The common name field can be set to an IPv4 address, hostname or wildcard depending on which WiNG 5 device it is being installed on. In this example the common name will use the hostname virtual.tmelabs.local matching the virtual hostname assigned using the captive portal policy.



1 Generate a 2048-bit RSA keypair and name it. The RSA keypair will be installed on multiple RFS 4000 Wireless Controllers in a cluster:

rfs4000-dmz-1# crypto key generate rsa rfs4000-dmz 2048

RSA Keypair successfully generated

2 View the installed RSA keypairs:

rfs4000-dmz-1# show crypto key rsa

---

Page 91 3 Generate a Certificate Signing Request (CSR) using the RSA keypair created above. The CSR

in this example uses a wildcard in the common name field so that it can be installed on

multiple RFS 4000 Wireless Controllers. The CSR will also be exported to a TFT P server where it can then be signed by a private or public CA:

rfs4000-dmz-1# crypto pki export request use-rsa-key rfs4000-dmz subject-name virtual.t melabs.local us tn "Johnson City" "Motorola Solutions" "Field Enablement" email

[email protected] tftp://192.168.10.10/rfs4000-dmz.csr

Successfully generated and exported certificate request

4 Import the Root CA Certificate issued from the public or private CA that signed the CSR generated above. In the below example the Root CA Certificate with the filename tmelabs-ca.cer is imported from the TFTP server 192.168.10.10 and is installed into the Trustpoint named TMELABS-CA:

rfs4000-dmz-1# crypto pki authenticate TMELABS-CA tftp://192.168.10.10/PKI/tmelabs-ca.cer

Successfully imported CA certificate

rfs4000-dmz-2# crypto pki authenticate TMELABS-CA tftp://192.168.10.10/PKI/tmelabs-ca.cer

Successfully imported CA certificate

5 Import the signed Certificate issued from the public or private CA. In the below example the signed Certificate with the filename rfs4000-dmz.cer is imported from the TFTP server 192.168.10.10 and is installed into the Trustpoint named TMELABS-CA:

rfs4000-dmz-1# crypto pki import certificate TMELABS-CA tftp://192.168.10.10/PKI/rfs4000-dmz.cer

Signed certificate for Trustpoint TMELABS-CA sucessfully imported

rfs4000-dmz-2# crypto pki import certificate TMELABS-CA tftp://192.168.10.10/PKI/rfs4000-dmz.cer

Signed certificate for Trustpoint TMELABS-CA sucessfully imported

6 View the Trustpoints:

rfs4000-dmz-1# show crypto pki trustpoints TMELABS-CA

Trustpoint Name: TMELABS-CA

--- CRL present: no

Server Certificate details:

Key used: rfs4000-dmz Serial Number: 03e7 Subject Name:

C=US, ST=Tennessee, L=Johnson City, O=Motorola Solutions, OU=Field Enablement, CN= virtual.tmelabs.local, [email protected]

Issuer Name:

C=US, ST=TN, L=Johnson City, O=Motorola Solutions, OU=Field Enablement, CN=TMELABS -CA, [email protected] Valid From : Tue Nov 13 18:24:41 2012 UTC

Valid Until: Fri Nov 11 18:24:41 2022 UTC

Page 92

CA Certificate details:

Serial Number: b856023e82ea96b8 Subject Name:

C=US, ST=TN, L=Johnson City, O=Motorola Solutions, OU=Field Enablement, CN=TMELABS -CA, [email protected] Issuer Name:

C=US, ST=TN, L=Johnson City, O=Motorola Solutions, OU=Field Enablement, CN=TMELABS -CA, [email protected] Valid From : Mon Jan 23 01:56:35 2012 UTC

Valid Until: Tue Jan 22 01:56:35 2013 UTC

rfs4000-dmz-2# show crypto pki trustpoints TMELABS-CA

Trustpoint Name: TMELABS-CA

--- CRL present: no

Server Certificate details:

Key used: rfs4000-dmz Serial Number: 03e7 Subject Name:

C=US, ST=Tennessee, L=Johnson City, O=Motorola Solutions, OU=Field Enablement, CN=virtual.tmelabs.local, [email protected]

Issuer Name:

C=US, ST=TN, L=Johnson City, O=Motorola Solutions, OU=Field Enablement, CN=TMELABS-CA, [email protected] Valid From : Tue Nov 13 18:24:41 2012 UTC

Valid Until: Fri Nov 11 18:24:41 2022 UTC

CA Certificate details:

Serial Number: b856023e82ea96b8 Subject Name:

C=US, ST=TN, L=Johnson City, O=Motorola Solutions, OU=Field Enablement, CN=TMELABS-CA, [email protected] Issuer Name:

C=US, ST=TN, L=Johnson City, O=Motorola Solutions, OU=Field Enablement, CN=TMELABS-CA, [email protected] Valid From : Mon Jan 23 01:56:35 2012 UTC

Valid Until: Tue Jan 22 01:56:35 2013 UTC

7 Assign the Trustpoint to the devices as overrides:

rfs4000-dmz-1# self

Page 93