Wireless Access

We are deploying UXI sensors into a network that performs SSL decryption (using Zscaler).       

The sensor is reporting constant SSL errors during service tests because traffic is decrypted by ZScaler and then re-signed with the ZScaler CA.

It was recommended to use a network profile to upload the decrypt trust chain as an EAP server CA.      The same CA does not sign our EAP certificate, so this will break wireless connectivity.   

Is there a way to import a private CA trust chain (e.g., ZScaler) to stop these errors?      Most of the built in tests dont have a toggle switch to disable validation of SSL certificate.

-------------------------------------------

This site mentions SSL error (decryption) and adding the trust certificate at the network.

https://help.capenetworks.com/en/articles/7967857-troubleshooting-guide

The only way I see to add it on a network is as the EAP trust, mentioned in my original post.     This breaks the wireless connection since the EAP certificate is not signed by the same CA.

Also, this is only an option on a 1X network.    How are PSK or Open(OWE) networks addressed?

Original Message:
Sent: Nov 05, 2025 09:32 PM
From: MH33
Subject: UXI Sensor - SSL Decryption CA Trust

We are deploying UXI sensors into a network that performs SSL decryption (using Zscaler).       

The sensor is reporting constant SSL errors during service tests because traffic is decrypted by ZScaler and then re-signed with the ZScaler CA.

It was recommended to use a network profile to upload the decrypt trust chain as an EAP server CA.      The same CA does not sign our EAP certificate, so this will break wireless connectivity.   

Is there a way to import a private CA trust chain (e.g., ZScaler) to stop these errors?      Most of the built in tests dont have a toggle switch to disable validation of SSL certificate.

-------------------------------------------

For SSL Decryption,  you need to reach out to TAC and give them your SSL decrypt cert and they'll add it in.  

This site mentions SSL error (decryption) and adding the trust certificate at the network.

https://help.capenetworks.com/en/articles/7967857-troubleshooting-guide

The only way I see to add it on a network is as the EAP trust, mentioned in my original post.     This breaks the wireless connection since the EAP certificate is not signed by the same CA.

Also, this is only an option on a 1X network.    How are PSK or Open(OWE) networks addressed?

Original Message:
Sent: Nov 05, 2025 09:32 PM
From: MH33
Subject: UXI Sensor - SSL Decryption CA Trust

We are deploying UXI sensors into a network that performs SSL decryption (using Zscaler).       

The sensor is reporting constant SSL errors during service tests because traffic is decrypted by ZScaler and then re-signed with the ZScaler CA.

It was recommended to use a network profile to upload the decrypt trust chain as an EAP server CA.      The same CA does not sign our EAP certificate, so this will break wireless connectivity.   

Is there a way to import a private CA trust chain (e.g., ZScaler) to stop these errors?      Most of the built in tests dont have a toggle switch to disable validation of SSL certificate.

-------------------------------------------

We are planning to run tests on our 3 production SSIDs and the wired interface.   TAC is telling me that they can only apply the SSL decrypt cert to a single network, and the other 3 would not be able to use it.

Can you confirm that is a limitation?    If so it makes tests on the other 2 SSIDs and wired network essentially pointless.

For SSL Decryption,  you need to reach out to TAC and give them your SSL decrypt cert and they'll add it in.  

This site mentions SSL error (decryption) and adding the trust certificate at the network.

https://help.capenetworks.com/en/articles/7967857-troubleshooting-guide

The only way I see to add it on a network is as the EAP trust, mentioned in my original post.     This breaks the wireless connection since the EAP certificate is not signed by the same CA.

Also, this is only an option on a 1X network.    How are PSK or Open(OWE) networks addressed?

Original Message:
Sent: Nov 05, 2025 09:32 PM
From: MH33
Subject: UXI Sensor - SSL Decryption CA Trust

We are deploying UXI sensors into a network that performs SSL decryption (using Zscaler).       

The sensor is reporting constant SSL errors during service tests because traffic is decrypted by ZScaler and then re-signed with the ZScaler CA.

It was recommended to use a network profile to upload the decrypt trust chain as an EAP server CA.      The same CA does not sign our EAP certificate, so this will break wireless connectivity.   

Is there a way to import a private CA trust chain (e.g., ZScaler) to stop these errors?      Most of the built in tests dont have a toggle switch to disable validation of SSL certificate.

-------------------------------------------

ssl decrypt cert can be applied to as many network as you need.

We are planning to run tests on our 3 production SSIDs and the wired interface.   TAC is telling me that they can only apply the SSL decrypt cert to a single network, and the other 3 would not be able to use it.

Can you confirm that is a limitation?    If so it makes tests on the other 2 SSIDs and wired network essentially pointless.

For SSL Decryption,  you need to reach out to TAC and give them your SSL decrypt cert and they'll add it in.  

This site mentions SSL error (decryption) and adding the trust certificate at the network.

https://help.capenetworks.com/en/articles/7967857-troubleshooting-guide

The only way I see to add it on a network is as the EAP trust, mentioned in my original post.     This breaks the wireless connection since the EAP certificate is not signed by the same CA.

Also, this is only an option on a 1X network.    How are PSK or Open(OWE) networks addressed?

Original Message:
Sent: Nov 05, 2025 09:32 PM
From: MH33
Subject: UXI Sensor - SSL Decryption CA Trust

We are deploying UXI sensors into a network that performs SSL decryption (using Zscaler).       

The sensor is reporting constant SSL errors during service tests because traffic is decrypted by ZScaler and then re-signed with the ZScaler CA.

It was recommended to use a network profile to upload the decrypt trust chain as an EAP server CA.      The same CA does not sign our EAP certificate, so this will break wireless connectivity.   

Is there a way to import a private CA trust chain (e.g., ZScaler) to stop these errors?      Most of the built in tests dont have a toggle switch to disable validation of SSL certificate.

-------------------------------------------

That is what I thought.    Once it is in the trust certificate store, it should work for everything.

Is there any way you could give guidance to the TAC engineer?    It is case # 215471651605782 with Aruba User Experience Insight(UXI) TAC team.

ssl decrypt cert can be applied to as many network as you need.

We are planning to run tests on our 3 production SSIDs and the wired interface.   TAC is telling me that they can only apply the SSL decrypt cert to a single network, and the other 3 would not be able to use it.

Can you confirm that is a limitation?    If so it makes tests on the other 2 SSIDs and wired network essentially pointless.

For SSL Decryption,  you need to reach out to TAC and give them your SSL decrypt cert and they'll add it in.  

This site mentions SSL error (decryption) and adding the trust certificate at the network.

https://help.capenetworks.com/en/articles/7967857-troubleshooting-guide

The only way I see to add it on a network is as the EAP trust, mentioned in my original post.     This breaks the wireless connection since the EAP certificate is not signed by the same CA.

Also, this is only an option on a 1X network.    How are PSK or Open(OWE) networks addressed?

Original Message:
Sent: Nov 05, 2025 09:32 PM
From: MH33
Subject: UXI Sensor - SSL Decryption CA Trust

We are deploying UXI sensors into a network that performs SSL decryption (using Zscaler).       

The sensor is reporting constant SSL errors during service tests because traffic is decrypted by ZScaler and then re-signed with the ZScaler CA.

It was recommended to use a network profile to upload the decrypt trust chain as an EAP server CA.      The same CA does not sign our EAP certificate, so this will break wireless connectivity.   

Is there a way to import a private CA trust chain (e.g., ZScaler) to stop these errors?      Most of the built in tests dont have a toggle switch to disable validation of SSL certificate.

-------------------------------------------

please contact your local HPE Aruba SE who can help escalated and advise TAC.

That is what I thought.    Once it is in the trust certificate store, it should work for everything.

Is there any way you could give guidance to the TAC engineer?    It is case # 215471651605782 with Aruba User Experience Insight(UXI) TAC team.

ssl decrypt cert can be applied to as many network as you need.

We are planning to run tests on our 3 production SSIDs and the wired interface.   TAC is telling me that they can only apply the SSL decrypt cert to a single network, and the other 3 would not be able to use it.

Can you confirm that is a limitation?    If so it makes tests on the other 2 SSIDs and wired network essentially pointless.

For SSL Decryption,  you need to reach out to TAC and give them your SSL decrypt cert and they'll add it in.  

This site mentions SSL error (decryption) and adding the trust certificate at the network.

https://help.capenetworks.com/en/articles/7967857-troubleshooting-guide

The only way I see to add it on a network is as the EAP trust, mentioned in my original post.     This breaks the wireless connection since the EAP certificate is not signed by the same CA.

Also, this is only an option on a 1X network.    How are PSK or Open(OWE) networks addressed?

Original Message:
Sent: Nov 05, 2025 09:32 PM
From: MH33
Subject: UXI Sensor - SSL Decryption CA Trust

We are deploying UXI sensors into a network that performs SSL decryption (using Zscaler).       

The sensor is reporting constant SSL errors during service tests because traffic is decrypted by ZScaler and then re-signed with the ZScaler CA.

It was recommended to use a network profile to upload the decrypt trust chain as an EAP server CA.      The same CA does not sign our EAP certificate, so this will break wireless connectivity.   

Is there a way to import a private CA trust chain (e.g., ZScaler) to stop these errors?      Most of the built in tests dont have a toggle switch to disable validation of SSL certificate.

-------------------------------------------