Security

Reply
Aruba
Posts: 1,296
Registered: ‎08-29-2007

Captive portal certificate, does the CN need to be dns resolvable?

[ Edited ]

Hi,

 

I'm looking at getting a server certificate for a guest network to get rid of the cert error that pops up.

 

So when I generate the CSR, does the CN need to be resolvable by DNS?  Typically for a guest network they may use a public dns such as 8.8.8.8, so the name is not necessarily resolvable.

 

For the captive portal page to open, and I've confirmed with wireshark.

 

  • client opens browser and does a dns lookup
  • gets response and tries to open webpage
  • controller sends a http redirect saying page has moved to 'securelogin.arubanetworks.com' or whatever the CN is in the cert.
  • client does a dns lookup on securelogin.arubanetworks.com
  • controller hijacks the response and changes it to be the ip of the controller.
  • client opens page to controller ip and then captive portal page is presented.

So in theory, the CN on the cert shouldn't matter if it is not resolvable as the controller hijacks the dns response anyway.

 

Have I got that right?

 

Thanks


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Moderator
Posts: 948
Registered: ‎07-29-2010

Re: Captive portal certificate, does the CN need to be dns resolvable?

You're right, it doesn't need to be resolvable. I've tried witn a non-resolvable FQDN and it works just fine.ç

 

Regards

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Contributor I
Posts: 31
Registered: ‎12-12-2012

Re: Captive portal certificate, does the CN need to be dns resolvable?

How does this work with ClearPass hosting the external captive portal?

 

My understanding is that when the guest connects to the wireless network and opens a browser they will be 302 redirected to 'https://cppm.company.local/guest/guest_page.php' or whatever the ClearPass guest registration page is in the Captive Portal profile.

 

If the guest network only has public dns servers like 8.8.8.8 they will not be able to resolve cppm.company.local

 

I guess that an alternative is maybe to use an IP address instead of host name. For example 302 redirect to 'https://10.10.10.10/guest/guest_page.php' instead.

 

I don't believe you can get a public SSL certificate with a CN of of a private IP address 10.10.10.10. 

 

Will the guests always get a warning in this case?

 

Cheers,

 

Chris

 

 

MVP
Posts: 1,414
Registered: ‎11-30-2011

Re: Captive portal certificate, does the CN need to be dns resolvable?

good question, does anyone have this setup working?

Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: Captive portal certificate, does the CN need to be dns resolvable?

Yes, tested fine.  It is in a lab, but I basically needed a cert with a cn other than securelogin.arubanetworks.com, and it works.

 

:-)


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP
Posts: 562
Registered: ‎11-28-2011

Re: Captive portal certificate, does the CN need to be dns resolvable?

This is a fairly common question.

 

The short answer is that Clearpass should have a CN in the cert that matches a resolvable FQDN (at which you point your redirect page). Note that this means registering your Clearpass FQDN of course! Treat your Clearpass like a proper web server in that respect and you'll do fine.

 

I wouldn't recommend using a private IP as it won't match the FQDN, and secure browsers won't trust it (so you won't achieve a goal of getting rid of the browser warnings).

 

I have seen people do things with their own DNS servers (private) to resolve this without registering properly (or via an internal FQDN). Again, I don't recommend this as it exposes internal DNS servers to security risks.

 

Note that in the next couple of years, security for web certs is changing, so Verisign for instance won't issue certs for FQDNs that aren't fully public. I.e. they won't give them out to private domains.

 

This link has details about it...

 

http://www.symantec.com/theme.jsp?themeid=cab-forum-changes

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
Showing results for 
Search instead for 
Did you mean: