Security

Reply
Contributor II
Posts: 64
Registered: ‎01-25-2013

Clearpass https certificate SAN

Hi,

 

i have the following on my Aruba controller :

 

login-page "https://192.168.203.30/guest/guest.php"

 

Whenever a user connects his browser gets a warning in IE or Chrome because the Clearpass server https certificate has CN=wifi-003 instead of 192.168.203.30.  It is possible to continue, but not a nice setup.

 

The logical solution would be to create a selfsigned certificate, register the name in dns.

Here comes the problem...  The certificate signing server is in a domain, which is not externally available.  So let's assume it's in domain contosa.com.  This domain is only available internal.

So i could create a selfsigned certificate wifi-003.contosa.com, change the login-page to :

 

login-page "https://wifi-003.contosa.com/guest/guest.php"

 

but nobody could resolve it since the guest network only has Google's dns servers for resolving.

 

I do not have any detail what a browser verifies, but i assume creating a selfsigned certificate on the certificate server in domain contosa.com with CN=wifi-003.contosanew.com also would not work?

 

I noticed however the SAN option in the CSR is available in Clearpass.  Can this one be used to specify a FQDN which we do own?  And then specify that FQDN in the login-page?  

Guru Elite
Posts: 20,001
Registered: ‎03-29-2007

Re: Clearpass https certificate SAN

Pnobels,

 

There are two requirements for the message not to show up.:

 

1 - The Client Trusts the Certificate or the CA that issued the certificate

2 - The SAN matches the redirect address

 

For #1, you need a public certificate.  For #2, you need a cert with a proper SAN fqdn.  Unfortunately, public CAs only issue public certificates for domains that you own publicly, so you must own the domain to get a public fqdn certificate for it.  Please see "CA changes for Internal FQDN’s and RFC1918" in the 

Certificates 101 Technote here https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=19184

 

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Guru Elite
Posts: 7,853
Registered: ‎09-08-2010

Re: Clearpass https certificate SAN

For the DNS issue, you have two options:

- Add ClearPass IP to public DNS

- Utilize the DNS proxy feature of your upstream router


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: