Hi everyone,
Just a quick question. When creating a web login page in ClearPass there is a field "Address":
The description says "Enter the IP address or hostname of the vendor’s product here.". By default it is set to securelogin.arubanetworks.com. Is this the NAD IP address? Because in my case my controller IP address is 192.168.1.96, but with the default setting I can access the web login page successfully. What am I missing?
Regards,
Julián
No, it needs to be set to the common name of your controller/IAP captive portal certificate.
OK thanks, then this description is a little bit confusing.
Hi Tim,
Please a couple of two more questions about this:
1. Why does it need to be set to the CN of my controller captive portal certificate if I am using ClearPass? The captive portal process happens in ClearPass and not in the controller.
2. What does securelogin.arubanetworks.com mean exactly? If I issue a nslookup for that name no IP address is returned so how can the client reach https://securelogin.arubanetworks.com?
1. The client needs to submit the captive portal form to that "virtual name" which is generated based on the common name of the certificate. The controller then generates a RADIUS request to the RADIUS server (ClearPass).
2. securelogin.arubanetworks.com is filler text. This needs to replaced with the CN of your captive portal certificate.
@cappalli wrote:1. The client needs to submit the captive portal form to that "virtual name" which is generated based on the common name of the certificate. The controller then generates a RADIUS request to the RADIUS server (ClearPass).
Does the common name need to relate to the anything meaningful? For example, if I used captiveportal-login.mydomain.com, do I need a DNS record for captiveportal-login.mydomain.com or login.mydomain.com?
You don't need a DNS entry for this. The controller will intercept the DNS request and respond with the correct IP for the controller. Just make sure you install the certificate properly on the controller and assign it as "captive portal certificate" on the controller.
Hi,
Check this guide that explains the flow..
In brief, after the client logins succesfully to Clearpass Guest page, ClearPass instructs the client browser to submit the credentials to the controller. This is where the certificate on controller will be needed. The controller then initiates a RADIUS request to ClearPass (Step 5)
https://community.arubanetworks.com/t5/07-19-13-Expert-Day/How-does-captive-portal-authentication-really-work-with/td-p/87208
Also, you can check this video by Herman https://www.youtube.com/watch?v=_uO2-RGJ3BM It shows the packet flow step by step based on Instant APs but the same logic applies to controller.
Tim ... thanks this so far the simplest and the best answers to this question ... seriously
and by the way u can use a wildcard cert at CTRL (*.mydomain.com)
In this case IP Address field should looks like:
captiveportal-login.mydomain.com
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.