02-05-2016 05:48 AM
i have the following on my Aruba controller :
Whenever a user connects his browser gets a warning in IE or Chrome because the Clearpass server https certificate has CN=wifi-003 instead of 192.168.203.30. It is possible to continue, but not a nice setup.
The logical solution would be to create a selfsigned certificate, register the name in dns.
Here comes the problem... The certificate signing server is in a domain, which is not externally available. So let's assume it's in domain contosa.com. This domain is only available internal.
So i could create a selfsigned certificate wifi-003.contosa.com, change the login-page to :
but nobody could resolve it since the guest network only has Google's dns servers for resolving.
I do not have any detail what a browser verifies, but i assume creating a selfsigned certificate on the certificate server in domain contosa.com with CN=wifi-003.contosanew.com also would not work?
I noticed however the SAN option in the CSR is available in Clearpass. Can this one be used to specify a FQDN which we do own? And then specify that FQDN in the login-page?
02-05-2016 06:38 AM
There are two requirements for the message not to show up.:
1 - The Client Trusts the Certificate or the CA that issued the certificate
2 - The SAN matches the redirect address
For #1, you need a public certificate. For #2, you need a cert with a proper SAN fqdn. Unfortunately, public CAs only issue public certificates for domains that you own publicly, so you must own the domain to get a public fqdn certificate for it. Please see "CA changes for Internal FQDN’s and RFC1918" in the
Certificates 101 Technote here https://support.arubanetworks.com/Documentation/ta
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
02-05-2016 07:57 AM
For the DNS issue, you have two options:
- Add ClearPass IP to public DNS
- Utilize the DNS proxy feature of your upstream router
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP