AAA, NAC, Guest Access & BYOD

Weblogin NAS Address configuration options in multi controller and single controller deployments

Aruba Employee
Requirement:

Subject: Trusted web logins between ClearPass and Aruba wireless

Aruba captive portals are performed via the guest submitting an HTTP POST over SSL.  By default Aruba ships with a default certificate securelogin.arubanetworks.com and this is the hostname the guests submit to. It is recommended to update to your own certificate using a certificate authority of your choosing.  When the certificate is installed the captive portal will use the CN from the certificate for logins.  See below for various configuration options based on the type of certificate and deployment you choose.

If your captive portal solution uses ClearPass Guest there are additional configuration options there you will need to change there after installing any new certificate.

 

NOTE: On September 8th, 2016 the default certificate was revoked by the certificate authority due to the inherent insecure nature of shipping certificates in firmware.  Client browsers will either refuse to connect to insecure websites or give a warning they user needs to bypass.  HPE Aruba recommends all deployments install a custom certificate immediately.

Note: This Article applies for both single controller and Multi controller deployments



Solution:

NAS Address configuration in the ClearPass Guest Weblogin/Self-registration page should be in accordance with the certificate being used on the Aruba wireless controllers

Below are few scenarios listed:

  • All Aruba Controllers using wildcard cert. 
  • All Aruba Controllers using one common certificate(not default securelogin.arubanetworks.com as its revoked).
  • Unique certificate on each Aruba controller (self-signed/Public signed certificates)

 

Our recommended option in multi-controller deployments is to use wildcard certificates.



Configuration:

Please find below the required configuration changes that needs to be done on the ClearPass Guest for the listed scenarios:

All Aruba Controllers using wildcard cert:

Note: For details on how Aruba Controllers work with wildcard certificate for captive portal authentication, please refer to

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

We need to prepend 'captiveportal-login” to the wildcard CN on the ClearPass guest at the respective locations as stated below:

  • For Guest Web Login page: Guest » Configuration » Pages » Web Logins: Edit respective web login pages with login method set as “Controller initiated” and configure the “*Address” field to reflect the above derived hostname.

Eg: If the wildcard cert is *.xyz.com, then the derived hostname would be captiveportal-login.xyz.com

web_login__guest_portal_b2Nkpit.jpg

 

  • For Guest Self-Registration page: Guest » Configuration » Pages » Guest Self-Registrations: Edit the self-registration and go to NAS Vendor Settings. If we are using Controller-Initiated logins then we need to update the “*IP Address” field respectively.

customize_guest_registration_m4ZMIPD.jpg

 

All Aruba Controllers using one common certificate:

If we have installed one common certificate on all the Aruba Controllers, we need to configure this certificate common name on the ClearPass guest at the respective locations as stated below:

  • For Guest Web Login page: Guest » Configuration » Pages » Web Logins: Edit respective web login pages with login method set as “Controller initiated” and configure the “*Address” field to reflect the common name in the certificate.

web_login__guest_portal_common.jpg

 

  • For Guest Self-Registration page: Guest » Configuration » Pages » Guest Self-Registrations: Edit the self-registration and go to NAS Vendor Settings. If we are using Controller-Initiated logins then we need to update the “*IP Address” field with the common name in the certificate.

customize_guest_registration_common_prs07RP.jpg

 

Note: For instructions on how to request and install certificates issued by a Public CA (Certificate Authority) on Aruba Controllers, please refer to ArubaOS User Guide documentation for managing certificates.

http://www.arubanetworks.com/techdocs/ArubaOS_64_Web_Help/Content/ArubaFrameStyles/Management_Utilities/Managing_Certificates.htm

 

Using a unique certificate on each Aruba Controller (self-signed/Public signed certificates):

Note: For instructions on generating a self-signed certificate and installing it on Aruba Controllers, please refer to

https://community.arubanetworks.com/t5/Controller-Based-WLANs/Generate-self-signed-certificate- with-OpenSSL/ta-p/275357

1. We need to enabled Dynamic Address under the ClearPass Guest Weblogin/Self-registration page for this to work by following the below instructions:

  • For Guest Web Login page: Please login to the ClearPass Guest and navigate to Guest » Configuration » Pages » Web Logins: Edit respective web login pages with login method set as “Controller initiated” and enabled the check box for “The controller will send the IP to submit credentials” under Dynamic address.

web_login__guest_portal_dynamic_address.jpg

 

 

  • For Guest Self-Registration page: Please login to the ClearPass Guest and navigate to Guest » Configuration » Pages » Guest Self-Registrations: Edit the self-registration and go to NAS Vendor Settings. If we are using Controller-Initiated logins then we need to update the “*IP Address” field with the common name in the certificate.

customize_guest_registration__dynamic_address.jpg

 

2. We need to make sure that the controller includes the switchip in the redirect URL for this to work.

Login to the Aruba controller WebUI and navigate to Configuration>>Security>>Authentication>>L3 Authentication>>Captive Portal Authentication>>Check the box that says "Add switchip in the redirect URL"

l3_authentication.jpg

 

3. Need to use the below simplified script in the Header HTML of a web login or self-registration page replacing respective IP and hostname mapping of the controllers.

  • For Guest Web Login page: Please login to the ClearPass Guest and navigate to Guest » Configuration » Pages » Web Logins: Edit respective web login pages with login method set as “Controller initiated” and add the below script in the Header HTML of the web login page after replacing the highlighted IP and hostname with your controllers IP and hostname mapping.  

Sample script:

{if !$extra_fields.cn}
  {if $extra_fields.switchip == "192.168.1.1"}
    {assign var="hostname" value ="controller1.xyz.com"} 
  {elseif $extra_fields.switchip == "192.168.1.2"}
    {assign var="hostname" value ="controller2.xyz.com"}
  {elseif $extra_fields.switchip == "192.168.1.3"}
    {assign var="hostname" value ="controller3.xyz.com"}
  {else}
    {assign var="hostname" value =$extra_fields.switchip}
  {/if}
  <meta http-equiv="refresh" content="0;url=/guest/{$script_name}.php?switchip={$hostname|rawurlencode}&cn=1&_browser=1">
{/if}

web_login__guest_portal_script_lOUwUre.jpg

 

  • For Guest Self-Registration page: Guest » Configuration » Pages » Guest Self-Registrations: Edit the self-registration and go to NAS Vendor Settings. If we are using Controller-Initiated logins then we need to add the above script in the Header HTML of the web login page after replacing the highlighted IP and hostname with your controllers IP and hostname mapping.  

customize_guest_registration__script_pZPwU2e.jpg

 

Verification

We can verify this is working on the client by looking at the redirection URL re-writing the switchip to the respective hostname.

Version history
Revision #:
12 of 12
Last update:
‎03-21-2017 07:28 AM
Updated by:
 
Labels (2)
Contributors
Comments

The images are not loading for me.  Can you re-submit with the images?

@EJ Jackson - done.

Edgedemon

Thank you so much for this document - invaluable!

 

Can I check something before I try to change the code for CP in ClearPass?

 

When editing this part of the script

{assign var="hostname" value ="controller1.xyz.com"}

 

do I change the "hostname" bit for the common name of the certificate purchased to replace securelogin.arubanetworks.com? Or does it stay as "hostname" and the only parts I change  are the following

switchip

value ="controller2.xyz.com"

 

Thanks

Hostname stays static as 'hostname'. Put the CN as the value. Just curious why you aren't using a single captive portal certificate across all of your controllers?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: