Web Login NAS Address configuration options in single and multi-controller deployments

MVP
MVP

Certificate Requirements for Controller-Initiated Web Logins with ClearPass

The default captive portal workflow for Aruba controllers uses a controller-initiated login where the client browser submits the required credential to the controller, and the controller sends a RADIUS request to the AAA server to validate the credentials.

 

A public CA-signed captive portal certificate is required for controller-initiated workflows. There are three deployment options outlined below, each using a different certificate model.

 

If ClearPass Guest is being used, some web login configuration elements will need to be updated there as well.

 

Note: This article applies for both single and multi controller deployments.

Deployment Options

  • All controllers use a single, generic public CA-signed captive portal server certificate (RECOMMENDED)
  • All controllers use a single public CA-signed wildcard captive portal server certificate
  • Each controller uses a unique public CA-signed captive portal server certificate

All Controllers Using One Common, Single Name Captive Portal Certificate

Overview:

In this recommended deployment model, one single name server certificate is used across all controllers. The certificate should contain a user friendly, generic common name. This name should not be present in DNS. For example, network-login.yourdomain.xyz. The common name should also be present as the SubjectAltName (most CAs will do this automatically).

 

NOTE: The CSR and key generation must be done an external device (ex: using openssl). The controller does not allow exporting of private keys (by design).

 

ClearPass Guest Configuration

  • For Guest Web Login page: Guest » Configuration » Pages » Web Logins: Edit respective web login pages with login method set as “Controller initiated” and configure the “*Address” field to reflect the common name in the certificate.

web_login__guest_portal_common.jpg

 

  • For Guest Self-Registration page: Guest » Configuration » Pages » Guest Self-Registrations: Edit the self-registration and go to NAS Vendor Settings. If we are using Controller-Initiated logins then we need to update the “*IP Address” field with the Common Name of the controller's captive portal certificate (ex: network-login.yourdomain.xyz).

customize_guest_registration_common_prs07RP.jpg

 

Note: For instructions on installing certificates on Aruba controllers, refer to the ArubaOS User Guide > https://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/Managing_Certificates.htm

 

All Controllers Using One Wildcard Captive Portal Certificate

Overview:

In this alternative deployment model, one public CA-signed wildcard server certificate is used across all controllers.

 

The controller automatically appends "captiveportal-login" to the domain in the certificate. For example, if the common name of the certificate was "*.arubasupport.com", the dynamic captive portal redirect FQDN would be "captiveportal-login.arubasupport.com".

 

NOTE: The CSR and key generation must be done an external device (ex: using openssl). The controller does not allow exporting of private keys (by design).

 

ClearPass Guest Configuration

  • For Guest Web Login page: Guest » Configuration » Pages » Web Logins: Edit respective web login pages with login method set as “Controller initiated” and configure the “*Address” field to reflect the above derived hostname.

Example: if the wildcard cert is *.arubasupport.com, then the derived hostname would be captiveportal-login.arubasupport.com.

web_login__guest_portal_b2Nkpit.jpg

 

  • For Guest Self-Registration page: Guest » Configuration » Pages » Guest Self-Registrations: Edit the self-registration and go to NAS Vendor Settings. If we are using Controller-Initiated logins then we need to update the “*IP Address” field respectively.

customize_guest_registration_m4ZMIPD.jpg

 

web_login__guest_portal_common.jpg

customize_guest_registration_common_prs07RP.jpg

https://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/Management_Utilities/Managing_Certificates.htm

 

Using Unique Captive Portal Certificates Per Controller

Overview:

In this alternative deployment model, a unique public CA-signed server certificate is used on each controller.

ClearPass Guest Configuration

1. We need to enabled Dynamic Address under the ClearPass Guest Weblogin/Self-registration page for this to work by following the below instructions:

  • For Guest Web Login page: Please login to the ClearPass Guest and navigate to Guest » Configuration » Pages » Web Logins: Edit respective web login pages with login method set as “Controller initiated” and enabled the check box for “The controller will send the IP to submit credentials” under Dynamic address.

web_login__guest_portal_dynamic_address.jpg

 

  • For Guest Self-Registration page: Please login to the ClearPass Guest and navigate to Guest » Configuration » Pages » Guest Self-Registrations: Edit the self-registration and go to NAS Vendor Settings. If we are using Controller-Initiated logins then we need to update the “*IP Address” field with the common name in the certificate.

customize_guest_registration__dynamic_address.jpg

 

2. We need to make sure that the controller includes the switchip in the redirect URL for this to work.

 

Login to the Aruba controller WebUI and navigate to Configuration >> Security >> Authentication >> L3 Authentication >> Captive Portal Authentication >> Check  "Add switchip in the redirect URL"

l3_authentication.jpg

 

3. Need to use the below simplified script in the Header HTML of a web login or self-registration page replacing respective IP and hostname mapping of the controllers.

  • For Guest Web Login page: Please login to the ClearPass Guest and navigate to Guest » Configuration » Pages » Web Logins: Edit respective web login pages with login method set as “Controller initiated” and add the below script in the Header HTML of the web login page after replacing the highlighted IP and hostname with your controllers IP and captive portal certificate CN mapping.  

Sample script:

{if !$extra_fields.cn}
  {if $extra_fields.switchip == "192.168.1.1"}
    {assign var="hostname" value ="controller1.yourdomain.xyz"} 
  {elseif $extra_fields.switchip == "192.168.1.2"}
    {assign var="hostname" value ="controller2.yourdomain.xyz"}
  {elseif $extra_fields.switchip == "192.168.1.3"}
    {assign var="hostname" value ="controller3.yourdomain.xyz"}
  {else}
    {assign var="hostname" value =$extra_fields.switchip}
  {/if}
  <meta http-equiv="refresh" content="0;url=/guest/{$script_name}.php?switchip={$hostname|rawurlencode}&cn=1&_browser=1">
{/if}

web_login__guest_portal_script_lOUwUre.jpg

 

  • For Guest Self-Registration page: Guest » Configuration » Pages » Guest Self-Registrations: Edit the self-registration and go to NAS Vendor Settings. If we are using Controller-Initiated logins then we need to add the above script in the Header HTML of the web login page after replacing the highlighted IP and hostname with your controllers IP and hostname mapping.  

customize_guest_registration__script_pZPwU2e.jpg

 

Verification

We can verify this is working on the client by looking at the redirection URL re-writing the switchip to the respective hostname.

Version history
Revision #:
14 of 14
Last update:
‎08-15-2018 06:53 PM
Updated by:
 
Labels (2)
Contributors
Comments

The images are not loading for me.  Can you re-submit with the images?

@EJ Jackson - done.

Edgedemon

Thank you so much for this document - invaluable!

 

Can I check something before I try to change the code for CP in ClearPass?

 

When editing this part of the script

{assign var="hostname" value ="controller1.xyz.com"}

 

do I change the "hostname" bit for the common name of the certificate purchased to replace securelogin.arubanetworks.com? Or does it stay as "hostname" and the only parts I change  are the following

switchip

value ="controller2.xyz.com"

 

Thanks

Hostname stays static as 'hostname'. Put the CN as the value. Just curious why you aren't using a single captive portal certificate across all of your controllers?

dmendez7

Hi

 

How can I do this with an Instant Virtual Controller?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: