Security

Reply

ClearPass Landing Page Redirect - Switch IP

I'm working with a customer who has APs split between their controllers. We are doing HTTPS login after registration and have a valid cert on both controllers. Problem is, we don't know which controller to submit to. I want to setup a landing page that keys off of the switch ip in the redirect to send them to registration pages that have NAS login to their respective controllers. Any chance someone has the code available to do this or know what I need to write up? 

 

Thanks.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: ClearPass Landing Page Redirect - Switch IP

Are you using different certs for the captive portal on each controller ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: ClearPass Landing Page Redirect - Switch IP

You should not need to do this if you’re using the same captive portal certificates on each controller (which is recommended).

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Landing Page Redirect - Switch IP

But don't we have to submit it back to a DNS name? The certs on the controllers are wildcard, but the DNS entries are different.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: ClearPass Landing Page Redirect - Switch IP

No, the controller intercepts the request for the common name. You don’t need DNS entries for controllers for captive portal flows.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Landing Page Redirect - Switch IP

Ok so what would I use in the nas-login address than, just leave it securelogin.arubanetworks.com and it will find its way back to the controller?


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: ClearPass Landing Page Redirect - Switch IP

Just load the same cert for the captive portal on each controller and then use that name (securelogin.acme.com) in the ClearPass Guest page

But if you don't want to do that then you will need to do the following:

* Create two user roles
* Create two captive portal profiles each pointing to a different captive portal page in ClearPass
* And in clearpass you will need to do a policy where you need send the user-role based on the NAS-IP
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite

Re: ClearPass Landing Page Redirect - Switch IP

You need to use the common name of your public CA-signed certificate. You cannot use securelogin.arubanetworks.com.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Landing Page Redirect - Switch IP

In the case of a wildcard certificate, you should use captiveportal-login.<suffix of your wildcard>:https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

 

And as mentioned elsewhere, there is no need to put that name in DNS anywhere, as the controller will intercept the DNS request and respond with the correct IP for the controller. For that same reason, you can put the same certificate on all your controllers.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).

Re: ClearPass Landing Page Redirect - Switch IP

That worked perfectly. Thank you all for your help and insight into this.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: