Environment Typical environment where guest traffic is tunneled to DMZ controller from master/local controller or IAP.
We have seen issue with guest user authentication when the traffic is being tunneled from master/local controller or IAP to DMZ. Because DMZ controller is the authenticator but when the client tries to resolve securelogin.arubanetworks.com during guest login/post the master/local controller or IAP will respond with its IP address, since the default certificate CN of the controller matches the FQDN securelogin.arubanetworks.com.
Installing a new/dummy server certificate on master/local controller or IAP with different CN other than securelogin.arubanetworks.com (eg: xyz.arubanetworks.com or customerdomain.com) and mapping the installed certificate to Captive Portal under Configuration >> MANAGEMENT >> General, will tunnel securelogin.arubanetworks.com lookup query from client to DMZ and DMZ will respond to the client with its IP address for proper POST and authentication.
Install a dummy certificate on the DMZ controller and replace securelogin.arubanetworks.com with CN of new certificate in ClearPass Guest under self-registration or weblogin NAS Setting >> Ip/hostname.