hiveAP certificate on AP230

  • 1
  • Question
  • Updated 2 years ago

We have a number of HMOL  230's  on our network.

A recent vulnerability scan highlighted that all had an identical Certificate, not certifiable and not corresponding to a DNS entry.

What used this and can I replace with a certificate from a cert authority ?

Thanks   

Photo of bob mccarthy

bob mccarthy

  • 3 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Bob,

Can you help me to understand the problem that you are trying to solve? What issue/vulnerability do you see existing here?

You do not day-to-day manage the APs via this route, that takes place via HiveManager.

The service available at https://ap_ip_address/ is only used for initial, basic configuration tasks or firmware updates normally before an AP is configured and working, and in atypical circumstances. At that point, you would not have been able to install a certificate anyway.

Thanks,

Nick
(Edited)
Photo of bob mccarthy

bob mccarthy

  • 3 Posts
  • 0 Reply Likes

Nick

We don't manage the APs directly , we use Hivemanager as you describe. The problem is the vulnerability report lists the APs certs as high risk:

  "The subject common name (CN) field in the X.509 certificate does not match the name of the entity presenting the certificate" 

do the AP need a cert installed  ? 

Thanks

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Bob,

It is not at all a high risk, or even a medium risk, due to what is available via HTTPS on an AP and what that gets used for.

This is where the report falls down, it has no context on which to score.

While there are enhancements we could make, this is not something that has much of an impact from a security perspective due to the reason that I explained.

Cheers,

Nick
(Edited)
Photo of bob mccarthy

bob mccarthy

  • 3 Posts
  • 0 Reply Likes

Nick

is it possible to disable 443 on the APs ?  Capwap doesn't rely on it ?

Thanks

 

Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
You can completely disable the web server in your network policy (under Service Settings). Note however that if you do this, it will also disable any other feature that requires the web server, primarily the captive web portal.
Photo of bob mccarthy

bob mccarthy

  • 3 Posts
  • 0 Reply Likes
Thanks