01-17-2017 04:19 PM
I have a 7240 controller with a captive portal auth, pointing to a Clearpass guest instance. The controller has a valid public cert (controller.domain.com) and clearpass has a valid public wildcard cert (*.cppm.domain.com).
The problem I'm having is that the redirect generates a certificate error, but not for the page the user is going to. The browser is getting the controller.domain.com cert from the clearpass login page, and of course failing because the name isn't right.
So here's the rub. This used to work. Recently. The last deliberate change I made was to reorder my VIPs and that was before Christmas. So either something else in my environment changed, or my students just never reported a problem until now.
Does anyone have any suggestions for a good place to start looking? I just did an upgrade to the most current GA clearpass but that didn't help.
01-18-2017 01:18 AM
You might try removing the redirect on HTTPS, leaving just the HTTP redirect. And read this article on the why: http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921
If that does not help, I would try if I could reproduce the issue on a laptop running Chrome, and use the developer tools (Ctrl-Shift-I) to trace the network traffic. There must be a moment where the client is connecting to the wrong system (can be a redirect!) which is causing that certificate warning.
What also helps is investigating the warning: see what certificate you see and what URL you try to reach. If you know that, you are probably at 80% of resolving your issue.That will also help you to determine if it were indeed your changes that introduced this behavior.
As discussed in the referred article, we (as an industry) taught people to ignore security warnings and click-through. So I wouldn't take the observation that you didn't get complaints as a proof that the issue wasn't there.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).