Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass guest certificate problem.

This thread has been viewed 4 times

  • 1.  Clearpass guest certificate problem.

    Posted Jan 17, 2017 07:20 PM

    Hello;

     

    I have a 7240 controller with a captive portal auth, pointing to a Clearpass guest instance. The controller has a valid public cert (controller.domain.com) and clearpass has a valid public wildcard cert (*.cppm.domain.com).

     

    The problem I'm having is that the redirect generates a certificate error, but not for the page the user is going to.  The browser is getting the controller.domain.com cert from the clearpass login page, and of course failing because the name isn't right.

     

    So here's the rub.  This used to work. Recently. The last deliberate change I made was to reorder my VIPs and that was before Christmas. So either something else in my environment changed, or my students just never reported a problem until now. 

     

    Does anyone have any suggestions for a good place to start looking? I just did an upgrade to the most current GA clearpass but that didn't help.



  • 2.  RE: Clearpass guest certificate problem.

    EMPLOYEE
    Posted Jan 17, 2017 07:23 PM

    If you try to go to an HTTP page, do you still get the error on redirect?



  • 3.  RE: Clearpass guest certificate problem.

    Posted Jan 17, 2017 07:37 PM

    Yes.  It actually pops the error up as soon as the apple captive portal detector fires, so I don't have to enter any URL at all.



  • 4.  RE: Clearpass guest certificate problem.

    EMPLOYEE
    Posted Jan 18, 2017 04:18 AM

    Andrew,

     

    You might try removing the redirect on HTTPS, leaving just the HTTP redirect. And read this article on the why: http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

     

    If that does not help, I would try if I could reproduce the issue on a laptop running Chrome, and use the developer tools (Ctrl-Shift-I) to trace the network traffic. There must be a moment where the client is connecting to the wrong system (can be a redirect!) which is causing that certificate warning.

     

    What also helps is investigating the warning: see what certificate you see and what URL you try to reach. If you know that, you are probably at 80% of resolving your issue.That will also help you to determine if it were indeed your changes that introduced this behavior.

     

    As discussed in the referred article, we (as an industry) taught people to ignore security warnings and click-through. So I wouldn't take the observation that you didn't get complaints as a proof that the issue wasn't there.