Controllerless Networks

Reply
New Contributor

Configure IAP to use SAN from Wildcard certificate

We use a mix of IAP-105 and 205 access points in several locations broadcasting multiple SSIDs. The guest network is using "Internal - Authenticated" with a local user account for authentication. Since it was not high priority we never bothered to fix the certificate errors generated by the included demo certificate that was recently revoked.

 

I'm now trying to apply certificates to the units and after much trial and error was able to generate, combine, and apply the necessary keys and certificates to the virtual controller. This worked very well for the admin pages/virtual controller but no so well for the captive portal.

 

Since we already have a wildcard certificate I requested a duplicate and added "securelogin" as a SAN on the certificate. This works perfectly for the VC but the captive portal redirects to the wildcard/asterisk (*.domain.com instead of securelogin.domain.com).

 

Is there a way to reuse this certificate and force the IAP to use the alternative name on the certificate or a specific subdomain covered by the wildcard? For example, site1.domain.com, site2.domain.com, etc.domain.com so I don't have to issue individual certificates?

 

If I can get that far, will the units redirecting users to these pages handle their own name registration, knowing it is a loopback, or will I need to change the DNS and register the names for each AP so the clients can find the URL?

 

Thanks ahead of time for any assistance.

Guru Elite

Re: Configure IAP to use SAN from Wildcard certificate

--EDIT-- Posted wrong link

 

Unfortunately no. You can get an inexpensive certificate (between $10-$50) with
a generic common name (like network-login.domain.tld) and use it across all
your IAPs/VCs.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite

Re: Configure IAP to use SAN from Wildcard certificate

In a word, no wildcard for Captive Portal Certificate:  http://community.arubanetworks.com/t5/Controller-less-WLANs/Do-we-support-wildcard-cert-on-IAP-for-captive-portal/ta-p/234370

 

We cannot redirect to a SAN.  The hostname needs to be defined on the cert for the captive portal.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: