Security

Reply
Contributor II
Posts: 38
Registered: ‎11-24-2014

Clearpass 6.4 broken https url redirect

On clearpass 6.4, captive portal url redirection does not work properly, some browser will show this error

"err_cert_common_name_invalid".  On client browser captive portal does not load or browser stuck in loading... In safari its the mobility controller's certificate which is shown on the client and will cause an error since the page url is https://cppm.domain.

 

 

 

Guru Elite
Posts: 21,028
Registered: ‎03-29-2007

Re: Clearpass 6.4 broken https url redirect

If the site you are trying to go to is an https site, thus will always happen because the SSL certificate on the controller and the SSL certificate on the https website do not match. If that is what is happening, there is not a real way around that. Try going to a non-https site to see if that is your issue.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 38
Registered: ‎11-24-2014

Re: Clearpass 6.4 broken https url redirect

You mean ssl certificate on clearpass..

 

There must be something wrong on the way mobility controller handle the url redirection logic.  When user will type https://domain.com, controller will "hijack" the request and returns back to the client browser, clearpass captive portal, https://cppm.com . In clearpass side, it will just receive the request and will reply to the https request.  

Guru Elite
Posts: 21,028
Registered: ‎03-29-2007

Re: Clearpass 6.4 broken https url redirect

Without knowing anything specific more than what you were saying, both the controller's SSL certificate and the ClearPass SSL certificate are involved in the redirect.  They both have to be (public) certificates trusted by the client to be seamless....  If the page the client is initially requesting is https (https://www.yahoo.com), that could potentially create an issue.

 

We could be talking about two things:

1.  Initial Redirect when the client first opens the browser 

2.  After the client clicks on submit for their credentials.

 

Which one are you referring to?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 38
Registered: ‎11-24-2014

Re: Clearpass 6.4 broken https url redirect

Initial redirect. Then again, the logic on url redirect should be...anything the user want to browse to , this is on the initial request, should be "hijacked" and replaced with "https://cppm.com"

Guru Elite
Posts: 21,028
Registered: ‎03-29-2007

Re: Clearpass 6.4 broken https url redirect

If the initial request when the client is opening the browser is an https site, there will be an error because the site we are redirecting the client to for cppm does not match the certificate for the site the client is requesting  (https://www.yahoo.com does not match https://cppm).  You can test this by having the client initally request a non-https site.  Sites like Yahoo and Google that are 100% https present this issue.

 

I am not sure there is a solution to this.  Please let me know if you get the same issue when you have the client initially request a non-https site...



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP
Posts: 1,422
Registered: ‎10-25-2011

Re: Clearpass 6.4 broken https url redirect

wireless_network10, you are running into the HSTS issue, https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
your clients must try a non-https request to get the captive portal.
Unless you begin whitelisting certain domains which is a workaround.

We are going through the same thing
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
MVP
Posts: 1,413
Registered: ‎11-30-2011

Re: Clearpass 6.4 broken https url redirect

[ Edited ]

[EDIT] sorry for the hijack of the the thread.

 

pmonardo could you explain how HSTS plays into this? as far as i know it forces you to access a site on HTTPS. but with a "hijack" that is used with a captive portal i believe you will run into issue also if HSTS isn't used.

Regular Contributor I
Posts: 188
Registered: ‎03-22-2013

Re: Clearpass 6.4 broken https url redirect

Is this still the way it is, as weve just started piloting our Captive Portal.. and are getting reports that it doesnt work, as most peoples browsers are trying to connect to https://www.google.com and see the "Your conneciton is not Private"" error. 

 

Yes, if they do go to a non https site, the CP login page kicks in.. but shouldnt the hijack and redirect happen regardless of the url they are trying to connect to? 

 

We are a  large site, and trying to tell users that they have to go to a non https site (when most probably wouldnt really understand this) would be an impossible task.  People just discover there is a Guest network available, select it, then read the T&Cs and register... but they dont get any of this where a https page is trying to be fetched, so simply think its broke!

 

 

 

MVP
Posts: 1,422
Registered: ‎10-25-2011

Re: Clearpass 6.4 broken https url redirect

This is normal as Google is requesting a certificate which you cannot provide. Expected behavior and your users will need to go through an http site unfortunately. We are dealing with similar issues and can "hack" our way around it by whitelisting, etc..but not the best way to do it...

Read up on HSTS

I'm on mobile so I can't give more info right now...


Pasquale Monardo
Conseiller Principal Solution R?seaux, Op?ration | Senior Network Solutions Consultant, Operation

T 514 385-4448 #204 DATAVALET.COM

5275, chemin Queen-Mary, Montr?al (Qu?bec) H3W 1Y3 Canada

CE COURRIEL AINSI QUE CES DOCUMENTS JOINTS peuvent contenir des renseignements confidentiels et privil?gi?s. Si vous n'?tes pas le destinataire d?sign?, veuillez nous en informer imm?diatement et effacer toute copie. Merci. THIS EMAIL AND THE DOCUMENTS ATTACHED may contain privileged or confidential information. If the reader of this message is not the intended recipient, please notify the sender immediately and delete the original message. Thank you.
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: