2015-01-12 18:32:39 +01:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Creating ssl certificates to test AC-Tube and it's WTP
|
|
|
|
|
======================================================
|
2014-08-18 08:03:39 +02:00
|
|
|
|
2014-08-18 08:05:56 +02:00
|
|
|
1. Create a root CA by executing:
|
2014-08-18 08:03:39 +02:00
|
|
|
|
|
|
|
|
./mkrootca
|
|
|
|
|
|
|
|
|
|
This creates the files root-ca.crt and root-ca.key.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. Create client certificates for AC and WTP
|
|
|
|
|
|
|
|
|
|
./mkcerts
|
|
|
|
|
|
|
|
|
|
This will create the files ac.key, ac.crt and wtp.crt, wtp.key.
|
|
|
|
|
All .key files are protected with the password you have chosen
|
|
|
|
|
in the certificate creation process.
|
|
|
|
|
|
|
|
|
|
3. Put these entries into ac.conf located in the ac directory,
|
|
|
|
|
so AC-Tube wilil use the certificates:
|
|
|
|
|
|
|
|
|
|
ssl_key=../../ssl/ac.key
|
|
|
|
|
ssl_key_pass=your password
|
|
|
|
|
ssl_cert=../../ssl/ac.crt
|
|
|
|
|
|
2014-08-18 08:05:56 +02:00
|
|
|
For WTP the certiciate's config entries for now are hard-coded.
|
2014-08-18 08:03:39 +02:00
|
|
|
Now you can play around joining WTP to AC...
|
|
|
|
|
|
|
|
|
|
4. If you want to connect a Cisco 1130 series LAP to AC-Tube you
|
|
|
|
|
have to install the CA file on the LAP. Therofore you can create
|
|
|
|
|
a terminal script by executing:
|
|
|
|
|
|
|
|
|
|
./mkciscoimport.sh
|
|
|
|
|
|
|
|
|
|
Paste the result into a terminal session when in enabled mode.
|
|
|
|
|
|
|
|
|
|
To ac.conf add the following entry:
|
|
|
|
|
|
|
|
|
|
dtls_verify_peer = no
|
|
|
|
|
|
|
|
|
|
Now your Cisco 1130 LAP will join to AC-Tube. Remember that the
|
|
|
|
|
Cisco LAP will lose the installed certificate after rebooting.
|
|
|
|
|
|
2015-01-12 18:32:39 +01:00
|
|
|
If you want to use a Cisco LAP without installing on it your own
|
|
|
|
|
ca certificate, which is lost after each reboot, you can sign your
|
|
|
|
|
certificate with a Cisco intermediate ca certificate as explained
|
|
|
|
|
in the next section.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Get a Cisco AP out of the box connected to AC-Tube
|
|
|
|
|
==================================================
|
|
|
|
|
|
|
|
|
|
If you want to use a Cisco AP without installing your own CA
|
|
|
|
|
certificate on it, which is lost after each reboot, you have to
|
|
|
|
|
use a certificate with AC-Tube, that is signed by a CA, where the
|
|
|
|
|
CA certificate is already installed on the AP.
|
|
|
|
|
|
|
|
|
|
To create such a certificate a Cisco WLC uses an intermediate CA
|
|
|
|
|
certificate, witch is signed by this root CA certificate, installed
|
|
|
|
|
on the AP.
|
|
|
|
|
|
|
|
|
|
If you have both, the intermediate CA certificate with an
|
|
|
|
|
appropriate private key and the CA certificate, which is installed
|
|
|
|
|
on the AP, you can create such a certificate like a Cisco WLC does,
|
|
|
|
|
by icopying them to the ./cisco sub-directory, using the
|
|
|
|
|
following names:
|
|
|
|
|
|
|
|
|
|
cisco-root-ca.crt: the CA certificate,
|
|
|
|
|
cisco-ca.crt: intermediate CA certificate
|
|
|
|
|
cisco-ca.key: private key.
|
|
|
|
|
|
|
|
|
|
All files have to be in PEM format.
|
|
|
|
|
|
|
|
|
|
Now run the script
|
|
|
|
|
|
|
|
|
|
./mkcert_cisco.sh
|
|
|
|
|
|
|
|
|
|
witch creates two files:
|
|
|
|
|
|
|
|
|
|
ac_cisco.pem
|
|
|
|
|
ac_cisco.key
|
|
|
|
|
|
|
|
|
|
When you get asked for a password, use always the same. The chosen
|
|
|
|
|
password is not imported. You don't need it later.
|
|
|
|
|
|
|
|
|
|
Now you can modify ac.conf to use the certificate and and key:
|
|
|
|
|
|
|
|
|
|
ssl_key=../../ssl/ac_cisco.key
|
|
|
|
|
ssl_cert=../../ssl/ac_cisco.pem
|
|
|
|
|
|
|
|
|
|
And a Cisco AP will now join AC-Tube without any modifications!
|
|
|
|
|
|
|
|
|
|
|
2014-08-18 08:03:39 +02:00
|
|
|
|
|
|
|
|
If you experience with other Cisco LAPs (e.g. 1141), please tell me.
|
|
|
|
|
7u83@mail.ru.
|
|
|
|
|
|
|
|
|
|
|
