Security

Reply
Contributor II

Clearpass guest certificate problem.

Hello;

 

I have a 7240 controller with a captive portal auth, pointing to a Clearpass guest instance. The controller has a valid public cert (controller.domain.com) and clearpass has a valid public wildcard cert (*.cppm.domain.com).

 

The problem I'm having is that the redirect generates a certificate error, but not for the page the user is going to.  The browser is getting the controller.domain.com cert from the clearpass login page, and of course failing because the name isn't right.

 

So here's the rub.  This used to work. Recently. The last deliberate change I made was to reorder my VIPs and that was before Christmas. So either something else in my environment changed, or my students just never reported a problem until now. 

 

Does anyone have any suggestions for a good place to start looking? I just did an upgrade to the most current GA clearpass but that didn't help.

Guru Elite

Re: Clearpass guest certificate problem.

If you try to go to an HTTP page, do you still get the error on redirect?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: Clearpass guest certificate problem.

Yes.  It actually pops the error up as soon as the apple captive portal detector fires, so I don't have to enter any URL at all.

Re: Clearpass guest certificate problem.

Andrew,

 

You might try removing the redirect on HTTPS, leaving just the HTTP redirect. And read this article on the why: http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

 

If that does not help, I would try if I could reproduce the issue on a laptop running Chrome, and use the developer tools (Ctrl-Shift-I) to trace the network traffic. There must be a moment where the client is connecting to the wrong system (can be a redirect!) which is causing that certificate warning.

 

What also helps is investigating the warning: see what certificate you see and what URL you try to reach. If you know that, you are probably at 80% of resolving your issue.That will also help you to determine if it were indeed your changes that introduced this behavior.

 

As discussed in the referred article, we (as an industry) taught people to ignore security warnings and click-through. So I wouldn't take the observation that you didn't get complaints as a proof that the issue wasn't there.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: