860| Management Access AOS-W 6.5.3.x| User Guide
In the USB connected to the RAP, delete any duplicate <mac-address>.p12 certificate file. Only one such file must be
present in the USB.
If you unplug the USB device the RAPwill become unresponsive. Reboot the RAP to bring it up with a custom
certificate, if the USB device was unplugged.
Marking the USB Device Connected as a Storage Device
If the AP provisioning parameter “usb-type” contains the value “storage,” this indicates that the RAP will
retrieve certificates from the connected USB flash drive.
RAP Configuration Requirements
The RAP needs to have one additional provisioning parameter, the pkcs12_passphrase, which can be left
untouched or can store an ACSII string. The string assigned to this parameter is used as the passphrase for
decoding the private key stored.
If you have an activated RAP that is using USB storage for the certificate, and you remove the USB storage, the RAP
drops the tunnel. This is by design. However, for the RAP to re-establish the tunnel it has to be power cycled. It does
not matter if you reinsert the USB storage before or after the power cycle as long as you power cycle it.
When the RAP successfully extracts all the information including the CA certificate, the RAP certificate and the
RAP private key using the passphrase from the provisioning parameter, it successfully establishes the tunnel.
Certificate Support for Non-TPM Devices
Most of the Alcatel-Lucent devices contain a TPM chip that securely stores keys and performs cryptographic
operations. However, some devices do not have a TPM chip. So, the unique private keys for those devices are
stored in flash. Therefore, the level of protection for the device reduces.
To overcome this challenge, AOS-W 6.5.3.0 introduces a new PKI which issues device certificates for non-TPM
devices. Non-TPM devices are low-assurance devices. The device certificates for non-TPM devices consist of a
policy OID indicating that they are issued by the PKI.
A 256-bit random number generated by non-TPM devices is used to encrypt a private key that is unique to
each device. The key is encrypted by AES encryption. Non-TPM devices compress and store the encrypted
private key file and the certificate files in Flash. The private key is maintained in an encrypted format. APIs are
provided to applications that use the private key.
Enabling Low-Assurance Devices
By default, the switches do not allow the low-assurance devices to connect. To enable low-assurance devices to
connect to a switch, a new parameter, allow-low-assurance-devices is introduced under the crypto-local
pki command. This parameter is disabled by default.
Execute the following command to enable low-assurance devices on a switch:
(host) (config) #crypto-local pki allow-low-assurance-devices
After the low-assurance devices are enabled on the switch, the factory certificate presented by the device is
validated against the device certificate stored on the switch.
Configuring SNMP
Alcatel-Lucent switches support versions 1, 2c, and 3 of Simple Network Management Protocol (SNMP) for
reporting purposes only. In other words, SNMP cannot be used for setting values in an Alcatel-Lucent system in
To Next Page
Loading...