Security

Reply
MVP

Android auto-login certificate error when doing http redirect to CP 6.6.7

Hi guys!

 

I've been doing captive portal redirect using HTTP for ages, but failrly recently some of these solutions have started to trigger a security error in the auto-login popup on Android 7 clients of the type "Certificate not valid. Are you sure you want to connect to this network". That seems odd since there should be no HTTP in play here during the redirect. Note that I'm triggering the redirect using a http URL.

 

More specifically it happens when the redirect page is on Clearpass 6.6.7. I haven't been able to reproduce the issue on an old test Amigopod, and haven't tested it on older 6.6.x Clearpass installations since most are upgraded to 6.6.7..

 

Looking at the data I see that sure enough - there is traffic triggered from the client to Clearpass port 443 during the redirect.

 

 

If I do a redirect to an external website that is http - no error.

If I redirect to a Clearpass 6.6.7 page that doesn't have a form (like default terms.php) - still cert error

 

If I turn off Android auto popup by whitelisting "connectivitycheck.gstatic.com" neither Chrome nor Firefox triggers a certificate error.

 

So... To summarize - I get the cert-error within Android 7 Auto-login popup when I redirect to a Clearpass 6.6.7 webpage. I don't get the error on any other client, on any other non-Clearpass 6.6.7 webpages nor if I turn off auto-login popup on Android.

 

So my question would be - what is special with Clearpass 6.6.7 in this Android auto-login scenario that cause the cert-error?

 


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite

Re: Android auto-login certificate error when doing http redirect to CP 6.6.7

Do you have HTTP allowed in ClearPass guest under Authentication? Otherwise everything will be redirected to HTTPS.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Android auto-login certificate error when doing http redirect to CP 6.6.7

Yes. If I accept the certificate warning I land on the http page as requested.

Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite

Re: Android auto-login certificate error when doing http redirect to CP 6.6.7

Is there any external code embedded on your page?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Android auto-login certificate error when doing http redirect to CP 6.6.7

No - default terms-page, or any other default weblogin-page using default skin. Tested this on 3 different 6.6.7 customers and in lab now with the same results.

Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Guru Elite

Re: Android auto-login certificate error when doing http redirect to CP 6.6.7

Do you have a packet capture of the client’s traffic?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Android auto-login certificate error when doing http redirect to CP 6.6.7

Not from the Android no. On windows client I just got way too much 443 traffic to filter out what could cause it.

Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
MVP

Re: Android auto-login certificate error when doing http redirect to CP 6.6.7

Still no luck on this so I guess TAC is next. If I redirect to any other http page (intranet or internet) other than Clearpass 6.6.7/6.6.8 there is no certificate error during Android 7 auto-login.

Doing http on Controller internal captive portal - no error.

I've created a blank web page with blank skin in Clearpass Guest - cert error. What?! This is a page with nothing - no scripts or anything..

 

If someone has time I would appreciate a quick test to confirm this error ;)


Regards
John Solberg

-ACMX #316 :: ACCP ::
ACSA :: Working on my ACCX!!
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: