Security

Hello im getting in a iphone this error  when the user is already authenticated , the user says it pop ups now and then

In english it says

Impossible to verify the identity of the server

Exchange cannot verify the identitty of "secureloging.arubanetworks.com

Options given

Details and cancel

Anyone ? :(

For now we are using  a selft signed certificate...

But i have never seen geting that error ever before...

This is on the guest network we are using clearpass.

The outlook of the iphone is sending that error i beailve

Tim whats ASO??

Carlos,

Two things: you client is presented with the securelogin.arubanetworks.com, and that certificate should be replaced in order to get rid of certificate warnings. Check the cert revocation FAQs on this forum for more information on why you need that certificate and how to create them.

Second, what is probably happening is that something in the background is setting up an HTTPS connection which gets redirected by the AP or controller. Please check this post:  https://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921 to read why this is, and that removing/disabling the redirect for HTTPS (leaving only redirects for HTTP) might be a good idea.

Herman

Hello Hernan

Thanks for the reply

We will put a certificate this is just temporary

Anyways eve if we put a certificate, wouldnt the user still get that same message but instead of secureloging.arubanetworks.com it will be the name of the new certificate?? or that will not happen?

If we want to continue using https instead of http becasue on http the user and password will be on plain text over the air, is there a solution to this kind of error?

You are correct that if you change the certificate that it is likely that the name in the error will change from securelogin.arubanetworks.com to the name of your certifcate.

And no, there is no solution if you want to redirect SSL traffic, because that is how SSL is designed:  https://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

So there is no fix to this?

The user cannot even use safari becuase of this(or at least that what they just told me, i would need to check it mysleft)...  so the guest network is useless for the ones that get this error for now.

I cannot use HTTP only because then the user and pass are send in plain text, and the client doest not want that.

Anyone else got ideas?

Cheers

Carlos

Carlos,

My suggestion is that you limit the redirect for only HTTP, and that is because you cannot properly redirect HTTPS traffic (technically impossible). The post of credentials, of course, need to go over HTTPS.

So redirect port 80 traffic to ClearPass (or internal captive portal) on HTTPS that does have a trusted valid certificate. Then the credentials are posted to your controller (also needs trusted valid certificate).

The redirect, the captive portal, and the credential post are three different things, and just the redirect, if it is enabled for HTTPS traffic as well, causes your problems.

Okay i think you are confused

For example this particular user got a mac caching for a few days so its authenticating via MAC address so the captive portal is not presented or anything.

And the user is getting that error :/

So there is no redirection or captive portal or anything!

The user did tell me that it start happening on a remote site which is another controller(local controller), and it start happening there.

He did registerd on the central site and eveything worked correctly

Right now the user is working fine, he turned the wifi on again and the message didnt appear on the central site.

If they get the problem again, ill try to connect to the controller and get more info... right now to be honest i dont have too much info as i have not troubleshoot it mysleft...    I just find it odd because i have never seen that error pop in any of our client using clearpass guest....

Also thanks for your time in asnweringn me Herman!!! :)

Cheers

Carlos

Carlos,

From the error I still think there is a redirect. As the problem is not reproducible at the moment, as soon as it happens again please check the role that the user has on the controller. I cannot think of a different reason why you see the securelogin certificate apart from some redirection. That is most likely a captive portal, but can also be ASO (Automated Sign On) where the controller intercepts HTTPS traffic to your ClearPass server to inject the WLAN authentication information so ClearPass can leverage the authentication already done by the client without requiring user interaction for captive-portal, SAML IdP and so on.

You will need to find out what device (configuration) presents the client with the wrong certificate; from the name it is very likely some Aruba component.