ArubaOS and Controllers

Reply
Frequent Contributor I

certificates and captive portals

wireless clients keep getting invalid certificates. We have the captive portal require the user to accept the policy and when they click on the accept button it does an https get to the controller's private ip of 172.16.23.1 to authenticate them. We created a certificate for that ip address. The certificate issues are intermittent and more prevalent on certain devices, google android os always gets the invalid certificate and sometimes the iphone 4 will as well. Should I not be creating a certificate CSR with 172.16.23.1 or the controller's public ip as the ip? Any suggestions on how to fix this?
Guru Elite

Re: certificates and captive portals

First things first:

Do your clients already trust the CA that is generating those certificates?

You need to generate a CSR that has the FQDN that you want clients to see. It does not have to resolve to anything, because part of the captive portal process is to redirect clients to your FQDN and intercept any requests to that FQDN and return the ip address of the controller's captive portal.

To make a long story short:

- Generate a CSR with the FQDN you want your clients want to see
- Make sure your clients trust the CA that will generate the certificate-
- Upload the certificate to the Captive Portal


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I

Re: certificates and captive portals


First things first:

Do your clients already trust the CA that is generating those certificates?

You need to generate a CSR that has the FQDN that you want clients to see. It does not have to resolve to anything, because part of the captive portal process is to redirect clients to your FQDN and intercept any requests to that FQDN and return the ip address of the controller's captive portal.

To make a long story short:

- Generate a CSR with the FQDN you want your clients want to see
- Make sure your clients trust the CA that will generate the certificate-
- Upload the certificate to the Captive Portal




The captive portal page is on an external server, when they click on the accept button of that external web server it does the https get and sends them to the controller to get authenticated. This is the url it has the client go to: https://172.16.23.1/auth/loginnw.html?user=foobar&password=foobar The controller isn't hosting the captive portal page, it is only authenticating the user to allow them access to browse the internet.

It is when they hit that controller's private ip that some devices get certificate errors. I already created a CSR and uploaded the chained certs to the controller which included the root ca, intermediate ca and the host certificate. But i generated the CSR using the private IP of 172.16.23.1 and am wondering if that is what some Operating systems don't like....
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: