Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Aruba Instant with Clearpass auth

This thread has been viewed 5 times

  • 1.  Aruba Instant with Clearpass auth

    Posted Sep 19, 2016 11:48 AM

    Hello,

     

    On september 8th the default cert securelogin.arubnetworks.com was revoked. Users have been having issues connecting to our guest networks because we were still using that cert (I know...).

     

    I have since managed to create a PEM file with our wildcard cert using this procedure https://www.digicert.com/ssl-support/pem-ssl-creation.htm and successfully uploaded it to our Instant deployement using using this procedure http://community.arubanetworks.com/t5/Controller-less-WLANs/Can-we-upload-a-wildcard-certificate-on-the-Aruba-IAP-for-dot1x/ta-p/181260

     

    I followed the steps listed here https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Weblogin-NAS-Address-configuration-options-in-multi-controller/ta-p/275426 to modify Clearpass to allow connections using this new cert. But users are getting one of two pages when trying to login

    1. Clearpass shows a page that says "Please wait whil we log you onto the network" or

    2. A browser error page that says "Unable to find host"

     

    From what I can see everything seems in order but I feel there should be a DNS record about captiveportal-login.xyz.com somewhere.

     

    Any help appreciated



  • 2.  RE: Aruba Instant with Clearpass auth
    Best Answer

    EMPLOYEE
    Posted Sep 19, 2016 11:51 AM
    Wildcard can't be used with Instant for captive portal. Please see here:
    https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814


  • 3.  RE: Aruba Instant with Clearpass auth

    Posted Sep 22, 2016 10:35 AM

    Thanks cappalli,

     

    We bought a public cert and uploaded it to our instants and it's currently working.

     

    We also have an m3 controller that offloads to Clearpass for guest auth, documentation that I have found suggests I need to upload the cert as a "Server Cert" but I get an error saying there is a problem with the cert format.

     

    I was able to upload it as a public cert, but it won't let me use it for captive portal.



  • 4.  RE: Aruba Instant with Clearpass auth
    Best Answer

    EMPLOYEE
    Posted Sep 22, 2016 11:06 AM
    For controller, convert the cert with key to a PFX/P12 prior to uploading.


  • 5.  RE: Aruba Instant with Clearpass auth

    Posted Sep 22, 2016 12:50 PM

    Thank you, got it to work using OpenSSL to convert it.



  • 6.  RE: Aruba Instant with Clearpass auth

    EMPLOYEE
    Posted Sep 22, 2016 12:52 PM

    Just an update. Instant 4.3 was released this week which added support for wildcard certificates with captive portal. The FAQ has been updated.



  • 7.  RE: Aruba Instant with Clearpass auth

    Posted Sep 27, 2016 05:50 PM
    @cappalli wrote:

    Just an update. Instant 4.3 was released this week which added support for wildcard certificates with captive portal. The FAQ has been updated.

    As in 6.5.0.0-4.3? Didn't find anything in the release notes about it. 



  • 8.  RE: Aruba Instant with Clearpass auth

    Posted Oct 07, 2016 08:25 AM

    Also doesn't seem to work. How can I get the iap to use a correct url for the certificate? It goes to *.domain.country/swarm.cgi

     



  • 9.  RE: Aruba Instant with Clearpass auth

    EMPLOYEE
    Posted Oct 07, 2016 09:07 AM

    When you upload a wildcard certificate for the captive portal, the IAP uses the hostname "captiveportal-login.domain.com".  You should put that captiveportal-logon.domain.com hostname in ClearPass

    wildcard.PNG