Cloud Managed Networks

We're just getting started as new Aruba User Experience Insight (UXI) users.  We have an ssid that does EAP/TTLS authentication against cloud auth.  Users use the the Aruba onboarding app to configure their device to connect to this SSID.  It configures the device with a certificate that cloud auth issues, and that's the means by which the device authenticates.  I'm trying to figure out a way to configure UXI to test this network. 

I don't expect that it could download the onboarding app, issue itself a certificate and then use that to connect to this SSID.  However I see the ability to provide UXI a certificate to use with EAP/TTLS is part of its capabilities. 

It seems like I should be able to onboard a device and then export the certificate to have UXI use in a test.  I've tried a few different devices.  Some don't seem to have the ability to have the ability to export at all.  Others can export but can't export a .p12 or .pfx which are the only options that UXI offers.  The problem is apparently that the clients don't get the key which is part of what makes a .p12 or .pfx file.  It makes sense to me that the clients wouldn't have the key, and it doesn't make sense to me why UXI would need the key to test as a client when the actual users don't have it.

Does anyone know a solution for how to set up a test for a network like this in UXI?

We're just getting started as new Aruba User Experience Insight (UXI) users.  We have an ssid that does EAP/TTLS authentication against cloud auth.  Users use the the Aruba onboarding app to configure their device to connect to this SSID.  It configures the device with a certificate that cloud auth issues, and that's the means by which the device authenticates.  I'm trying to figure out a way to configure UXI to test this network. 

I don't expect that it could download the onboarding app, issue itself a certificate and then use that to connect to this SSID.  However I see the ability to provide UXI a certificate to use with EAP/TTLS is part of its capabilities. 

It seems like I should be able to onboard a device and then export the certificate to have UXI use in a test.  I've tried a few different devices.  Some don't seem to have the ability to have the ability to export at all.  Others can export but can't export a .p12 or .pfx which are the only options that UXI offers.  The problem is apparently that the clients don't get the key which is part of what makes a .p12 or .pfx file.  It makes sense to me that the clients wouldn't have the key, and it doesn't make sense to me why UXI would need the key to test as a client when the actual users don't have it.

Does anyone know a solution for how to set up a test for a network like this in UXI?

Hello,

Have you managed to test a Cloud Auth wifi network with a UXI sensor ? If so, may I ask you how you did it ? Thanks

We're just getting started as new Aruba User Experience Insight (UXI) users.  We have an ssid that does EAP/TTLS authentication against cloud auth.  Users use the the Aruba onboarding app to configure their device to connect to this SSID.  It configures the device with a certificate that cloud auth issues, and that's the means by which the device authenticates.  I'm trying to figure out a way to configure UXI to test this network. 

I don't expect that it could download the onboarding app, issue itself a certificate and then use that to connect to this SSID.  However I see the ability to provide UXI a certificate to use with EAP/TTLS is part of its capabilities. 

It seems like I should be able to onboard a device and then export the certificate to have UXI use in a test.  I've tried a few different devices.  Some don't seem to have the ability to have the ability to export at all.  Others can export but can't export a .p12 or .pfx which are the only options that UXI offers.  The problem is apparently that the clients don't get the key which is part of what makes a .p12 or .pfx file.  It makes sense to me that the clients wouldn't have the key, and it doesn't make sense to me why UXI would need the key to test as a client when the actual users don't have it.

Does anyone know a solution for how to set up a test for a network like this in UXI?

Olivier,

The official method would be to use DPP to get UXI sensors on the network... One 'workaround' that I've done myself is to request the Android passpoint profile and extract the certificate from there. If you select 'Just use my browser' then under 'More options' pick 'Install on Android' (note just do this on Windows/Mac... no Android needed) and download the file android-passpoint-profile.

Then if you have access to a linux system, you could use the following script/commands to create a .p12 out of it that you can install into UXI Dashboard (without any guarantee that this works, or if it works doesn't break over time):

#!/bin/shif [ -f "$1" ]; then  SRC=$1else  SRC=android-passpoint-profilefiif [ ! -f ${SRC} ]; then  echo "Can't find file ${SRC}"  exitfiTMPBASE="android-passpoint-profile.tmp"if [ ! -f /bin/munpack ]; then  echo "No munpack; to install apt install mpack"  exitfirm -rf tmpmkdir tmpbase64 -d < "${SRC}" > tmp/${TMPBASE}.mimecd tmpmunpack ${TMPBASE}.mimeecho "Just press ENTER on the password prompt"openssl pkcs12 -in part3 -legacy -out ${TMPBASE}.pem -nodesNAME=`cat ${TMPBASE}.pem | grep friendlyName | sed 's/^.* //' | sort -u | head -1`echo "Now enter the export password for the ${NAME}.p12..."openssl pkcs12 -export -in ${TMPBASE}.pem -out ${NAME}.p12 -name "${NAME}"

If it doesn't work out of the box, it's taking the MIME-part 3 from the profile, which has the certificate; extracts that into PEM format, which then is converted into a P12.

Make sure that you delete the PEM files after use as they contain the private key.

Hello,

Have you managed to test a Cloud Auth wifi network with a UXI sensor ? If so, may I ask you how you did it ? Thanks

We're just getting started as new Aruba User Experience Insight (UXI) users.  We have an ssid that does EAP/TTLS authentication against cloud auth.  Users use the the Aruba onboarding app to configure their device to connect to this SSID.  It configures the device with a certificate that cloud auth issues, and that's the means by which the device authenticates.  I'm trying to figure out a way to configure UXI to test this network. 

I don't expect that it could download the onboarding app, issue itself a certificate and then use that to connect to this SSID.  However I see the ability to provide UXI a certificate to use with EAP/TTLS is part of its capabilities. 

It seems like I should be able to onboard a device and then export the certificate to have UXI use in a test.  I've tried a few different devices.  Some don't seem to have the ability to have the ability to export at all.  Others can export but can't export a .p12 or .pfx which are the only options that UXI offers.  The problem is apparently that the clients don't get the key which is part of what makes a .p12 or .pfx file.  It makes sense to me that the clients wouldn't have the key, and it doesn't make sense to me why UXI would need the key to test as a client when the actual users don't have it.

Does anyone know a solution for how to set up a test for a network like this in UXI?

Thank you Herman,

That seems rather complicated for a security newbie. Could I onboard my Windows machine with the Onboarding App, then extract from my Windows machine the  file (is it called windows-passpoint-profile?) that needs to be converted thks to a linux system to a p12 ?

Olivier,

The official method would be to use DPP to get UXI sensors on the network... One 'workaround' that I've done myself is to request the Android passpoint profile and extract the certificate from there. If you select 'Just use my browser' then under 'More options' pick 'Install on Android' (note just do this on Windows/Mac... no Android needed) and download the file android-passpoint-profile.

Then if you have access to a linux system, you could use the following script/commands to create a .p12 out of it that you can install into UXI Dashboard (without any guarantee that this works, or if it works doesn't break over time):

#!/bin/shif [ -f "$1" ]; then  SRC=$1else  SRC=android-passpoint-profilefiif [ ! -f ${SRC} ]; then  echo "Can't find file ${SRC}"  exitfiTMPBASE="android-passpoint-profile.tmp"if [ ! -f /bin/munpack ]; then  echo "No munpack; to install apt install mpack"  exitfirm -rf tmpmkdir tmpbase64 -d < "${SRC}" > tmp/${TMPBASE}.mimecd tmpmunpack ${TMPBASE}.mimeecho "Just press ENTER on the password prompt"openssl pkcs12 -in part3 -legacy -out ${TMPBASE}.pem -nodesNAME=`cat ${TMPBASE}.pem | grep friendlyName | sed 's/^.* //' | sort -u | head -1`echo "Now enter the export password for the ${NAME}.p12..."openssl pkcs12 -export -in ${TMPBASE}.pem -out ${NAME}.p12 -name "${NAME}"

If it doesn't work out of the box, it's taking the MIME-part 3 from the profile, which has the certificate; extracts that into PEM format, which then is converted into a P12.

Make sure that you delete the PEM files after use as they contain the private key.

Hello,

Have you managed to test a Cloud Auth wifi network with a UXI sensor ? If so, may I ask you how you did it ? Thanks

We're just getting started as new Aruba User Experience Insight (UXI) users.  We have an ssid that does EAP/TTLS authentication against cloud auth.  Users use the the Aruba onboarding app to configure their device to connect to this SSID.  It configures the device with a certificate that cloud auth issues, and that's the means by which the device authenticates.  I'm trying to figure out a way to configure UXI to test this network. 

I don't expect that it could download the onboarding app, issue itself a certificate and then use that to connect to this SSID.  However I see the ability to provide UXI a certificate to use with EAP/TTLS is part of its capabilities. 

It seems like I should be able to onboard a device and then export the certificate to have UXI use in a test.  I've tried a few different devices.  Some don't seem to have the ability to have the ability to export at all.  Others can export but can't export a .p12 or .pfx which are the only options that UXI offers.  The problem is apparently that the clients don't get the key which is part of what makes a .p12 or .pfx file.  It makes sense to me that the clients wouldn't have the key, and it doesn't make sense to me why UXI would need the key to test as a client when the actual users don't have it.

Does anyone know a solution for how to set up a test for a network like this in UXI?

as it was mentioned before, here is the procedure to use DPP.
Wi-Fi Easy Connect Sensor Onboarding & Backhaul

See if this works for you

Thank you Herman,

That seems rather complicated for a security newbie. Could I onboard my Windows machine with the Onboarding App, then extract from my Windows machine the  file (is it called windows-passpoint-profile?) that needs to be converted thks to a linux system to a p12 ?

Olivier,

The official method would be to use DPP to get UXI sensors on the network... One 'workaround' that I've done myself is to request the Android passpoint profile and extract the certificate from there. If you select 'Just use my browser' then under 'More options' pick 'Install on Android' (note just do this on Windows/Mac... no Android needed) and download the file android-passpoint-profile.

Then if you have access to a linux system, you could use the following script/commands to create a .p12 out of it that you can install into UXI Dashboard (without any guarantee that this works, or if it works doesn't break over time):

#!/bin/shif [ -f "$1" ]; then  SRC=$1else  SRC=android-passpoint-profilefiif [ ! -f ${SRC} ]; then  echo "Can't find file ${SRC}"  exitfiTMPBASE="android-passpoint-profile.tmp"if [ ! -f /bin/munpack ]; then  echo "No munpack; to install apt install mpack"  exitfirm -rf tmpmkdir tmpbase64 -d < "${SRC}" > tmp/${TMPBASE}.mimecd tmpmunpack ${TMPBASE}.mimeecho "Just press ENTER on the password prompt"openssl pkcs12 -in part3 -legacy -out ${TMPBASE}.pem -nodesNAME=`cat ${TMPBASE}.pem | grep friendlyName | sed 's/^.* //' | sort -u | head -1`echo "Now enter the export password for the ${NAME}.p12..."openssl pkcs12 -export -in ${TMPBASE}.pem -out ${NAME}.p12 -name "${NAME}"

If it doesn't work out of the box, it's taking the MIME-part 3 from the profile, which has the certificate; extracts that into PEM format, which then is converted into a P12.

Make sure that you delete the PEM files after use as they contain the private key.

Hello,

Have you managed to test a Cloud Auth wifi network with a UXI sensor ? If so, may I ask you how you did it ? Thanks

We're just getting started as new Aruba User Experience Insight (UXI) users.  We have an ssid that does EAP/TTLS authentication against cloud auth.  Users use the the Aruba onboarding app to configure their device to connect to this SSID.  It configures the device with a certificate that cloud auth issues, and that's the means by which the device authenticates.  I'm trying to figure out a way to configure UXI to test this network. 

I don't expect that it could download the onboarding app, issue itself a certificate and then use that to connect to this SSID.  However I see the ability to provide UXI a certificate to use with EAP/TTLS is part of its capabilities. 

It seems like I should be able to onboard a device and then export the certificate to have UXI use in a test.  I've tried a few different devices.  Some don't seem to have the ability to have the ability to export at all.  Others can export but can't export a .p12 or .pfx which are the only options that UXI offers.  The problem is apparently that the clients don't get the key which is part of what makes a .p12 or .pfx file.  It makes sense to me that the clients wouldn't have the key, and it doesn't make sense to me why UXI would need the key to test as a client when the actual users don't have it.

Does anyone know a solution for how to set up a test for a network like this in UXI?

Thanks. Good to know. However, my sensor is an old one. It is an F5C. In the document, one requirement is to use G5 sensors. Anyway, will try the procedure described by Herman. Cheers.

as it was mentioned before, here is the procedure to use DPP.
Wi-Fi Easy Connect Sensor Onboarding & Backhaul

See if this works for you

Thank you Herman,

That seems rather complicated for a security newbie. Could I onboard my Windows machine with the Onboarding App, then extract from my Windows machine the  file (is it called windows-passpoint-profile?) that needs to be converted thks to a linux system to a p12 ?

Olivier,

The official method would be to use DPP to get UXI sensors on the network... One 'workaround' that I've done myself is to request the Android passpoint profile and extract the certificate from there. If you select 'Just use my browser' then under 'More options' pick 'Install on Android' (note just do this on Windows/Mac... no Android needed) and download the file android-passpoint-profile.

Then if you have access to a linux system, you could use the following script/commands to create a .p12 out of it that you can install into UXI Dashboard (without any guarantee that this works, or if it works doesn't break over time):

#!/bin/shif [ -f "$1" ]; then  SRC=$1else  SRC=android-passpoint-profilefiif [ ! -f ${SRC} ]; then  echo "Can't find file ${SRC}"  exitfiTMPBASE="android-passpoint-profile.tmp"if [ ! -f /bin/munpack ]; then  echo "No munpack; to install apt install mpack"  exitfirm -rf tmpmkdir tmpbase64 -d < "${SRC}" > tmp/${TMPBASE}.mimecd tmpmunpack ${TMPBASE}.mimeecho "Just press ENTER on the password prompt"openssl pkcs12 -in part3 -legacy -out ${TMPBASE}.pem -nodesNAME=`cat ${TMPBASE}.pem | grep friendlyName | sed 's/^.* //' | sort -u | head -1`echo "Now enter the export password for the ${NAME}.p12..."openssl pkcs12 -export -in ${TMPBASE}.pem -out ${NAME}.p12 -name "${NAME}"

If it doesn't work out of the box, it's taking the MIME-part 3 from the profile, which has the certificate; extracts that into PEM format, which then is converted into a P12.

Make sure that you delete the PEM files after use as they contain the private key.

Hello,

Have you managed to test a Cloud Auth wifi network with a UXI sensor ? If so, may I ask you how you did it ? Thanks

We're just getting started as new Aruba User Experience Insight (UXI) users.  We have an ssid that does EAP/TTLS authentication against cloud auth.  Users use the the Aruba onboarding app to configure their device to connect to this SSID.  It configures the device with a certificate that cloud auth issues, and that's the means by which the device authenticates.  I'm trying to figure out a way to configure UXI to test this network. 

I don't expect that it could download the onboarding app, issue itself a certificate and then use that to connect to this SSID.  However I see the ability to provide UXI a certificate to use with EAP/TTLS is part of its capabilities. 

It seems like I should be able to onboard a device and then export the certificate to have UXI use in a test.  I've tried a few different devices.  Some don't seem to have the ability to have the ability to export at all.  Others can export but can't export a .p12 or .pfx which are the only options that UXI offers.  The problem is apparently that the clients don't get the key which is part of what makes a .p12 or .pfx file.  It makes sense to me that the clients wouldn't have the key, and it doesn't make sense to me why UXI would need the key to test as a client when the actual users don't have it.

Does anyone know a solution for how to set up a test for a network like this in UXI?

Hello,

Just to let you know that the suggestion made by Herman worked. I did create from Aruba Central Cloud Auth an android-passpoint-profile using the browser of my Windows PC. Then I tried hard to extract from it the p12 file but my Linux was a TinyCore and nothing worked as it should. So, Herman kindly extracted the p12 and sent it to me. I then configured in the UXI dashboad the Cloud Auth SSID network I want my sensor to test. And it instantly worked like a charm. 

Thanks. Good to know. However, my sensor is an old one. It is an F5C. In the document, one requirement is to use G5 sensors. Anyway, will try the procedure described by Herman. Cheers.

as it was mentioned before, here is the procedure to use DPP.
Wi-Fi Easy Connect Sensor Onboarding & Backhaul

See if this works for you

Thank you Herman,

That seems rather complicated for a security newbie. Could I onboard my Windows machine with the Onboarding App, then extract from my Windows machine the  file (is it called windows-passpoint-profile?) that needs to be converted thks to a linux system to a p12 ?

Olivier,

The official method would be to use DPP to get UXI sensors on the network... One 'workaround' that I've done myself is to request the Android passpoint profile and extract the certificate from there. If you select 'Just use my browser' then under 'More options' pick 'Install on Android' (note just do this on Windows/Mac... no Android needed) and download the file android-passpoint-profile.

Then if you have access to a linux system, you could use the following script/commands to create a .p12 out of it that you can install into UXI Dashboard (without any guarantee that this works, or if it works doesn't break over time):

#!/bin/shif [ -f "$1" ]; then  SRC=$1else  SRC=android-passpoint-profilefiif [ ! -f ${SRC} ]; then  echo "Can't find file ${SRC}"  exitfiTMPBASE="android-passpoint-profile.tmp"if [ ! -f /bin/munpack ]; then  echo "No munpack; to install apt install mpack"  exitfirm -rf tmpmkdir tmpbase64 -d < "${SRC}" > tmp/${TMPBASE}.mimecd tmpmunpack ${TMPBASE}.mimeecho "Just press ENTER on the password prompt"openssl pkcs12 -in part3 -legacy -out ${TMPBASE}.pem -nodesNAME=`cat ${TMPBASE}.pem | grep friendlyName | sed 's/^.* //' | sort -u | head -1`echo "Now enter the export password for the ${NAME}.p12..."openssl pkcs12 -export -in ${TMPBASE}.pem -out ${NAME}.p12 -name "${NAME}"

If it doesn't work out of the box, it's taking the MIME-part 3 from the profile, which has the certificate; extracts that into PEM format, which then is converted into a P12.

Make sure that you delete the PEM files after use as they contain the private key.

Hello,

Have you managed to test a Cloud Auth wifi network with a UXI sensor ? If so, may I ask you how you did it ? Thanks

We're just getting started as new Aruba User Experience Insight (UXI) users.  We have an ssid that does EAP/TTLS authentication against cloud auth.  Users use the the Aruba onboarding app to configure their device to connect to this SSID.  It configures the device with a certificate that cloud auth issues, and that's the means by which the device authenticates.  I'm trying to figure out a way to configure UXI to test this network. 

I don't expect that it could download the onboarding app, issue itself a certificate and then use that to connect to this SSID.  However I see the ability to provide UXI a certificate to use with EAP/TTLS is part of its capabilities. 

It seems like I should be able to onboard a device and then export the certificate to have UXI use in a test.  I've tried a few different devices.  Some don't seem to have the ability to have the ability to export at all.  Others can export but can't export a .p12 or .pfx which are the only options that UXI offers.  The problem is apparently that the clients don't get the key which is part of what makes a .p12 or .pfx file.  It makes sense to me that the clients wouldn't have the key, and it doesn't make sense to me why UXI would need the key to test as a client when the actual users don't have it.

Does anyone know a solution for how to set up a test for a network like this in UXI?

Thank you Herman,

That seems rather complicated for a security newbie. Could I onboard my Windows machine with the Onboarding App, then extract from my Windows machine the  file (is it called windows-passpoint-profile?) that needs to be converted thks to a linux system to a p12 ?

Olivier,

The official method would be to use DPP to get UXI sensors on the network... One 'workaround' that I've done myself is to request the Android passpoint profile and extract the certificate from there. If you select 'Just use my browser' then under 'More options' pick 'Install on Android' (note just do this on Windows/Mac... no Android needed) and download the file android-passpoint-profile.

Then if you have access to a linux system, you could use the following script/commands to create a .p12 out of it that you can install into UXI Dashboard (without any guarantee that this works, or if it works doesn't break over time):

#!/bin/shif [ -f "$1" ]; then  SRC=$1else  SRC=android-passpoint-profilefiif [ ! -f ${SRC} ]; then  echo "Can't find file ${SRC}"  exitfiTMPBASE="android-passpoint-profile.tmp"if [ ! -f /bin/munpack ]; then  echo "No munpack; to install apt install mpack"  exitfirm -rf tmpmkdir tmpbase64 -d < "${SRC}" > tmp/${TMPBASE}.mimecd tmpmunpack ${TMPBASE}.mimeecho "Just press ENTER on the password prompt"openssl pkcs12 -in part3 -legacy -out ${TMPBASE}.pem -nodesNAME=`cat ${TMPBASE}.pem | grep friendlyName | sed 's/^.* //' | sort -u | head -1`echo "Now enter the export password for the ${NAME}.p12..."openssl pkcs12 -export -in ${TMPBASE}.pem -out ${NAME}.p12 -name "${NAME}"

If it doesn't work out of the box, it's taking the MIME-part 3 from the profile, which has the certificate; extracts that into PEM format, which then is converted into a P12.

Make sure that you delete the PEM files after use as they contain the private key.

Hello,

Have you managed to test a Cloud Auth wifi network with a UXI sensor ? If so, may I ask you how you did it ? Thanks

We're just getting started as new Aruba User Experience Insight (UXI) users.  We have an ssid that does EAP/TTLS authentication against cloud auth.  Users use the the Aruba onboarding app to configure their device to connect to this SSID.  It configures the device with a certificate that cloud auth issues, and that's the means by which the device authenticates.  I'm trying to figure out a way to configure UXI to test this network. 

I don't expect that it could download the onboarding app, issue itself a certificate and then use that to connect to this SSID.  However I see the ability to provide UXI a certificate to use with EAP/TTLS is part of its capabilities. 

It seems like I should be able to onboard a device and then export the certificate to have UXI use in a test.  I've tried a few different devices.  Some don't seem to have the ability to have the ability to export at all.  Others can export but can't export a .p12 or .pfx which are the only options that UXI offers.  The problem is apparently that the clients don't get the key which is part of what makes a .p12 or .pfx file.  It makes sense to me that the clients wouldn't have the key, and it doesn't make sense to me why UXI would need the key to test as a client when the actual users don't have it.

Does anyone know a solution for how to set up a test for a network like this in UXI?