07-19-2013 10:31 AM
Why does ClearPass Guest configure "securelogin.arubanetworks.com" as the default Vendor Address when selecting Aruba Networks as the vendor?
As per the "How does captive portal authentication really work" question, the client needs to post the authentication to the controller directly. CPG facilitates this communication by instructing the client where to post (securelogin.arubanetworks.com) and what to post (credentials). The end user may not even realize this post is happening since it happens automatically after they log in on the CPG web login page. In order for CPG to instruct the client where to post, ClearPass Guest needs to know the address of the controller. You could hardcode the controller's IP address in the Vendor Address field but this configuration has two drawbacks. One is that the controller will not have a certificate installed for that IP address which will cause "Invalid certificate" warnings on client devices. Aruba controllers come shipped with a publicly signed certificate for "securelogin.arubanetworks.com" to prevent certificate warnings. Second, hardcoding an IP address means that the Web Login will only work for that one controller. In multiple controller environments, the hostname securelogin.arubanetworks.com resolves individually to each controller's IP address. If I'm associated to controller X, securelogin.arubanetworks.com will resolve to controller X's switch IP and likewise for controller Y. This gives the ability to use the same Vendor Address value for multiple controllers. The reasoning described here also applies to using 18.104.22.168 on CPG integrations with Cisco.