Security

Reply
Frequent Contributor I
Posts: 61
Registered: ‎01-18-2012

Aruba Instant with Clearpass auth

Hello,

 

On september 8th the default cert securelogin.arubnetworks.com was revoked. Users have been having issues connecting to our guest networks because we were still using that cert (I know...).

 

I have since managed to create a PEM file with our wildcard cert using this procedure https://www.digicert.com/ssl-support/pem-ssl-creation.htm and successfully uploaded it to our Instant deployement using using this procedure http://community.arubanetworks.com/t5/Controller-less-WLANs/Can-we-upload-a-wildcard-certificate-on-the-Aruba-IAP-for-dot1x/ta-p/181260

 

I followed the steps listed here https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Weblogin-NAS-Address-configuration-options-in-multi-controller/ta-p/275426 to modify Clearpass to allow connections using this new cert. But users are getting one of two pages when trying to login

1. Clearpass shows a page that says "Please wait whil we log you onto the network" or

2. A browser error page that says "Unable to find host"

 

From what I can see everything seems in order but I feel there should be a DNS record about captiveportal-login.xyz.com somewhere.

 

Any help appreciated

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: Aruba Instant with Clearpass auth

Wildcard can't be used with Instant for captive portal. Please see here:
https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 61
Registered: ‎01-18-2012

Re: Aruba Instant with Clearpass auth

Thanks cappalli,

 

We bought a public cert and uploaded it to our instants and it's currently working.

 

We also have an m3 controller that offloads to Clearpass for guest auth, documentation that I have found suggests I need to upload the cert as a "Server Cert" but I get an error saying there is a problem with the cert format.

 

I was able to upload it as a public cert, but it won't let me use it for captive portal.

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: Aruba Instant with Clearpass auth

For controller, convert the cert with key to a PFX/P12 prior to uploading.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I
Posts: 61
Registered: ‎01-18-2012

Re: Aruba Instant with Clearpass auth

Thank you, got it to work using OpenSSL to convert it.

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: Aruba Instant with Clearpass auth

Just an update. Instant 4.3 was released this week which added support for wildcard certificates with captive portal. The FAQ has been updated.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 107
Registered: ‎01-05-2015

Re: Aruba Instant with Clearpass auth


cappalli wrote:

Just an update. Instant 4.3 was released this week which added support for wildcard certificates with captive portal. The FAQ has been updated.


As in 6.5.0.0-4.3? Didn't find anything in the release notes about it. 

MVP
Posts: 107
Registered: ‎01-05-2015

Re: Aruba Instant with Clearpass auth

Also doesn't seem to work. How can I get the iap to use a correct url for the certificate? It goes to *.domain.country/swarm.cgi

 

Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: Aruba Instant with Clearpass auth

When you upload a wildcard certificate for the captive portal, the IAP uses the hostname "captiveportal-login.domain.com".  You should put that captiveportal-logon.domain.com hostname in ClearPass

wildcard.PNG



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: