Transferring Credentials From The Summit Wm Controller To Ap - Extreme Networks Summit WM Technical Reference Manual

AP as 802.1X supplicant
The Summit WM GUI's 802.1X tab provides AP credentials management:
1 Generate a certificate signing request (CSR) for a single AP. The generated CSR is stored on the local
file system and needs to be retrieved for transfer to the CA. For the Common Name used in the CSR,
you can use either the AP name, serial number, MAC address, or type a custom string.
2 Install a TLS certificate on the target AP. The certificate file is received from the third-party CA and
is delivered from the Summit WM Controller to the AP as part of the AP configuration. When the
Summit WM Controller is not used to generate the certificate signing request, the certificate file
contains a private key which will be sent to the AP. The AP permanently stores the certificate in its
local storage. For more information, see
3 Install a PEAP username and password on the target AP. The username and password are delivered
from the Summit WM Controller to the AP as part of the AP configuration.
4 Request one or more APs to delete PEAP or TLS credentials.
5 Retrieve credential information from the APs.
The Summit WM GUI's AP 802.1X Multi-edit page provides multi-AP credential management:
1 Generate certificate signing requests (CSRs) for a selection of APs. Generated CSRs are stored in a
local tarred file and need to be retrieved for transfer to the CA. For the Common Name used in the
CSRs, you can use either the AP name, serial number, or MAC address.
2 Install a TLS certificate and private key from a collection of certificate files. Certificate files should be
stored in one zipped file. When the Summit WM Controller is not used to generate the certificate
signing requests, the certificate file contains a private key which will be sent to the AP. APs are
matched based on AP name, serial number, or MAC address.
3 Install PEAP a username and password to a selection of APs.
The Summit WM GUI leverages the information it has on registered APs to simplify the certificate
request process. Specifically, the Summit WM Controller will remember the organization, country,
organizational unit, and other credentials likely required on all certificates between subsequent
certificate requests. It will also provide a means to enter the common name from a list. The list will
include:
MAC address of the AP (displayed on the APs packaging)
●
AP serial number
●
AP name
●
Other
●
If you select Other, type any text string that will be used as the common name.

Transferring credentials from the Summit WM Controller to AP

The PEAP username, PEAP password, and TLS private key are installed on the AP using a
configuration message. The AP retrieves the certificate from the TFTP provided by the Summit WM
Controller (IP address and the path to the Certificate). The TLS private key, PEAP username, and PEAP
password are transferred encrypted using the blowfish algorithm. Certificates, by their very nature, are
public documents so will not be encrypted during transmission.
The AP performs validation on a received TLS certificate and private key before installing it in the
persistent storage. The AP fails the verification if the certificate is expired, if the certificate does not
match the private key, or if the certificate has an invalid X509 format. In such a case, the AP retains the
existing certificate and private key if one exists. The AP does not perform any verification for the PEAP
username and password.
104
"TLS credential management" on page
Summit WM Technical Reference Guide, Software Version 5.1
105.