Security

Hello

we have got  a client which doesnt want that the typical certificate error appears to their guest

Like when you selft register you are redirected to the captive portal of the clearpass but before that the guest get this

I bealive and im just verifiying with you guys that you just need to buy a public certificate like Verisign or godaddy as the certificate presented to the guest right now is the aruba one and as they do not have that root certificate on their machines they get that error.  IF i had a public one installed  on the clearpasss then i would not have this certificate error right?

Another question if that is correct

What type of certificate we should buy for this???

Any other thing i need to take in mind for this?

Yes, you would need a publicly signed certificate. In this case, you would need a SAN certificate with both the IP address(es) and DNS name(s) (since it appears you are using the IP address in the redirect).

Keep in mind that most CAs will not issue certificates with private IPs in the SAN field.

Your other option is to disable SSL if you're not capturing sensitive information.

When you say 2 ip address you mean clearpass ip address and which other ip address?

What i got configured is on the captive portal profile a redirect to https://ip address of the clearpass/guest/login.php  on the controller which points to the clearpass.

Is there any technote about that???

Cheers

Carlos

Why are you using IP address and not DNS name?

I could change it, not a problem.  But the ip is not gonna change.   Any advantage of using the dns in this case?

Cheers

Carlos

If you use the DNS name of the VIP, you only need a basic SSL certificate (~$99).

There we go then :)

Right now they got the dns name configured in their DNS server

For now the clients are using a public dns server.  With ip address i dont have any issue with that.

If i put the DNS name then  i would need to chnage the DNS server of the DHCP server of the clients to point the internal dns server so they can resolve who is the clearpass.

Does the router handling your guest network support DNS proxy? If so, just add in a static DNS entry pointing to ClearPass and point the guest users to the router for DNS.

Well the controller is doing that.   Does the controller support this? never configured it before though.

On the controller I got it configure this way.

A vlan that only exist in the controller, and im natting the guest users throught the ip of the controller.

Another question the VIP on an stand alone Clearpass is already configured? i mean  i just configured the normal ip address on the clearpass and thats it.

Im not using  a VIP as i dont  have 2 nodes or anyhthing of that.  So is not configured.

Cheers

Carlos

Here is my Technote in CPPM PKI. Please always check for TechNotes.

CPPM - Certificates 101 Technote V1.0 .pdf

All other TechNotes here.... 

http://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961