Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Android auto-login certificate error when doing http redirect to CP 6.6.7

This thread has been viewed 2 times

  • 1.  Android auto-login certificate error when doing http redirect to CP 6.6.7

    Posted Sep 27, 2017 06:41 AM

    Hi guys!

     

    I've been doing captive portal redirect using HTTP for ages, but failrly recently some of these solutions have started to trigger a security error in the auto-login popup on Android 7 clients of the type "Certificate not valid. Are you sure you want to connect to this network". That seems odd since there should be no HTTP in play here during the redirect. Note that I'm triggering the redirect using a http URL.

     

    More specifically it happens when the redirect page is on Clearpass 6.6.7. I haven't been able to reproduce the issue on an old test Amigopod, and haven't tested it on older 6.6.x Clearpass installations since most are upgraded to 6.6.7..

     

    Looking at the data I see that sure enough - there is traffic triggered from the client to Clearpass port 443 during the redirect.

     

     

    If I do a redirect to an external website that is http - no error.

    If I redirect to a Clearpass 6.6.7 page that doesn't have a form (like default terms.php) - still cert error

     

    If I turn off Android auto popup by whitelisting "connectivitycheck.gstatic.com" neither Chrome nor Firefox triggers a certificate error.

     

    So... To summarize - I get the cert-error within Android 7 Auto-login popup when I redirect to a Clearpass 6.6.7 webpage. I don't get the error on any other client, on any other non-Clearpass 6.6.7 webpages nor if I turn off auto-login popup on Android.

     

    So my question would be - what is special with Clearpass 6.6.7 in this Android auto-login scenario that cause the cert-error?

     



  • 2.  RE: Android auto-login certificate error when doing http redirect to CP 6.6.7

    EMPLOYEE
    Posted Sep 27, 2017 07:57 AM

    Do you have HTTP allowed in ClearPass guest under Authentication? Otherwise everything will be redirected to HTTPS.



  • 3.  RE: Android auto-login certificate error when doing http redirect to CP 6.6.7

    Posted Sep 27, 2017 08:00 AM
    Yes. If I accept the certificate warning I land on the http page as requested.


  • 4.  RE: Android auto-login certificate error when doing http redirect to CP 6.6.7

    EMPLOYEE
    Posted Sep 27, 2017 08:04 AM
    Is there any external code embedded on your page?


  • 5.  RE: Android auto-login certificate error when doing http redirect to CP 6.6.7

    Posted Sep 27, 2017 08:07 AM
    No - default terms-page, or any other default weblogin-page using default skin. Tested this on 3 different 6.6.7 customers and in lab now with the same results.


  • 6.  RE: Android auto-login certificate error when doing http redirect to CP 6.6.7

    EMPLOYEE
    Posted Sep 27, 2017 08:09 AM
    Do you have a packet capture of the client’s traffic?


  • 7.  RE: Android auto-login certificate error when doing http redirect to CP 6.6.7

    Posted Sep 27, 2017 08:13 AM
    Not from the Android no. On windows client I just got way too much 443 traffic to filter out what could cause it.


  • 8.  RE: Android auto-login certificate error when doing http redirect to CP 6.6.7

    Posted Sep 29, 2017 03:38 AM

    Still no luck on this so I guess TAC is next. If I redirect to any other http page (intranet or internet) other than Clearpass 6.6.7/6.6.8 there is no certificate error during Android 7 auto-login.

    Doing http on Controller internal captive portal - no error.

    I've created a blank web page with blank skin in Clearpass Guest - cert error. What?! This is a page with nothing - no scripts or anything..

     

    If someone has time I would appreciate a quick test to confirm this error ;)