Security

Reply
Occasional Contributor II

ClearPass Self-Registration Page - HTTPS Error

Hi,

 

I'm Janish. I'm new to aruba wireless and ClearPass server. Recently i have deployed a aruba wireless infrastructure with aruba ClearPass.

For guest we implemented self-registration page. But at the first we were recieving https error since we didn't have a trusted certificate. Also we had issues with IOS 11 clients connecting to this network since Apple have increased the encryption to SHA-2.

So on the advice of Aruba TAC we bought two SSL certificate from Godaddy for ClearPass and Controller.

But even after uploading this certificate the clients are still getting https error before getting the Captive Portal Page.

As per my understanding since we have uploaded the trusted SSL certificate we should not get this error and it should get automatically redirected to the Captive Portal Page. Am I right?

Or is this expected behavior?

 

Please help me.

 

Thank You.

Guru Elite

Re: ClearPass Self-Registration Page - HTTPS Error

If the user attempts to go to an HTTPS page prior to redirection, they will receive a certificate error.

However, the device should be using it's native captive portal detection mechanisms. If that is not happening, verify you're not bypassing them.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass Self-Registration Page - HTTPS Error

Hi Tim,

 

Thanks alot for your feedback.

 

Most of the users are dumb users and it's a big office with lot of guests coming in daily. So most of them are trying to access google.com first.

But they are getting https error message even after installing the SSL certificate from GoDaddy. Is it expected behaviour?

or is there any work around so that we can remove this https error?

Occasional Contributor II

Re: ClearPass Self-Registration Page - HTTPS Error

Hi Tim,

 

Is there a way to force the captive portal page at the same time when the client is trying to connect to the SSID?

so that they won't type in google.com?

Where i can check the native captive portal mechanism in controller?

 

Thank You.

Re: ClearPass Self-Registration Page - HTTPS Error

What happens if they type cnn.com first? do they get a portal.
Tim is correct, the device portal assistant should trigger and load the captive portal page for the user.

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACCA
[If you found my post helpful, please give kudos!]
Occasional Contributor II

Re: ClearPass Self-Registration Page - HTTPS Error

When they go to cnn.com which is a http website the portal is coming immediately.

The problem here this is a big insurance company there are lots of guests coming in daily. So it's not possible to tell every customer to go to cnn.com. The problem here is 90% of the guest first go to google.com and they are getting this error.

 

From what i read i understand the only solution for this is What Tim mentioned earlier about captive portal detection.

But the Apple devices are not getting the CNA pop up. Even though we didn't enable the CNA Bypass in the ClearPass the CNA is not working for Apple Devices.

Will there be anything in the controller or ClearPass bypassing this?

Is there anyway to check this?

 

Thank You

Guru Elite

Re: ClearPass Self-Registration Page - HTTPS Error

What are you whitelisting in your pre-auth role?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: ClearPass Self-Registration Page - HTTPS Error

Hi Tim,

 

I didn't whitelist anything. It is all default settings.

Here is my WLC page. Please let me know if there is any mistake?

 

WLC.pngWLC-1.png

Occasional Contributor II

Re: ClearPass Self-Registration Page - HTTPS Error

 

Re: ClearPass Self-Registration Page - HTTPS Error

Ensure in your Initial Role you are only permitting HTTP/HTTPS access to ClearPass, because if you allow HTTP/HTTPS to anywhere the Apple CNA will not work.

 

Apple devices try to reach captive.apple.com and if they can, they will assume there is no captive portal. Try explicitely denying captive.apple.com above the permit for HTTP/HTTPS and see if that makes it pop up.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: