Security

last person joined: 17 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass https certificate SAN

This thread has been viewed 11 times

  • 1.  Clearpass https certificate SAN

    Posted Feb 05, 2016 08:48 AM

    Hi,

     

    i have the following on my Aruba controller :

     

    login-page "https://192.168.203.30/guest/guest.php"

     

    Whenever a user connects his browser gets a warning in IE or Chrome because the Clearpass server https certificate has CN=wifi-003 instead of 192.168.203.30.  It is possible to continue, but not a nice setup.

     

    The logical solution would be to create a selfsigned certificate, register the name in dns.

    Here comes the problem...  The certificate signing server is in a domain, which is not externally available.  So let's assume it's in domain contosa.com.  This domain is only available internal.

    So i could create a selfsigned certificate wifi-003.contosa.com, change the login-page to :

     

    login-page "https://wifi-003.contosa.com/guest/guest.php"

     

    but nobody could resolve it since the guest network only has Google's dns servers for resolving.

     

    I do not have any detail what a browser verifies, but i assume creating a selfsigned certificate on the certificate server in domain contosa.com with CN=wifi-003.contosanew.com also would not work?

     

    I noticed however the SAN option in the CSR is available in Clearpass.  Can this one be used to specify a FQDN which we do own?  And then specify that FQDN in the login-page?  



  • 2.  RE: Clearpass https certificate SAN

    EMPLOYEE
    Posted Feb 05, 2016 09:39 AM

    Pnobels,

     

    There are two requirements for the message not to show up.:

     

    1 - The Client Trusts the Certificate or the CA that issued the certificate

    2 - The SAN matches the redirect address

     

    For #1, you need a public certificate.  For #2, you need a cert with a proper SAN fqdn.  Unfortunately, public CAs only issue public certificates for domains that you own publicly, so you must own the domain to get a public fqdn certificate for it.  Please see "CA changes for Internal FQDN’s and RFC1918" in the 

    Certificates 101 Technote here https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=19184

     

     



  • 3.  RE: Clearpass https certificate SAN

    EMPLOYEE
    Posted Feb 05, 2016 10:57 AM

    For the DNS issue, you have two options:

    - Add ClearPass IP to public DNS

    - Utilize the DNS proxy feature of your upstream router



  • 4.  RE: Clearpass https certificate SAN

    Posted Dec 25, 2018 07:34 AM

    Hi Tim, 

    in addition to : 

    - Add ClearPass IP to public DNS

    - Utilize the DNS proxy feature of your upstream router

     

    we can setup 2 DNS server in guest users DHCP pool with 

    DNS1: public DNS (like 8.8.8.8)

    DNS2: private DNS (contain CP hostname IP resolution entry).

     

    it should work correctly ? any caveat ?