Security

Reply
MVP

Controller claims certificate CN for its own?

So I've got a wildcard certificate formed as follows:

CN: host.domain.tld

SAN1: host.domain.tld

SAN2: *.domain.tld

 

host.domain.tld is NOT the controller, this is another actual server. The controller should respond to captiveportal-login.domain.tld.

 

I was trying to use (the wildcard portion of) this certificate on the controller for captive-portal auhentication.

Now, this works. Guests get this valid certificate presented so no more cert errors.

What is problematich however is that wireless users on the secure (non-guest) ssid, trying to access the server at https://host.domain.tld get redirected to https://host.domain.tld:4343 by the controller. The ip address also changes from the actual host to the controllers guest interface.

 

I understand that the controller graps traffic for that CN for itself for guest users, but why is it intercepting dns requests for users on other SSID's?! 

Is this expected behaviour or what am I missing here?

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: Controller claims certificate CN for its own?

What user role are those devices in?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Controller claims certificate CN for its own?

As simple and open as I can get it:

 

(Aruba) #show rights user

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'user'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Number of users referencing it = 24
Periodic reauthentication: Disabled
DPI Classification: Enabled
Youtube education: Disabled
Web Content Classification: Enabled
ACL Number = 78/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name Type
---- ----

Application BW-Contract List
----------------------------
Name Type BW Contract Id Direction
---- ---- ----------- -- ---------

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 global-sacl session
2 apprf-user-sacl session
3 allowall session

global-sacl
-----------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
apprf-user-sacl
---------------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
allowall
--------
Priority Source Destination Service Application Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6 Contract
-------- ------ ----------- ------- ----------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------ --------
1 any any any permit Low 4
2 any any any-v6 permit Low 6

Expired Policies (due to time constraints) = 0

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
MVP

Re: Controller claims certificate CN for its own?

As simple as I can get it: allowall.

 

(Aruba) #show rights complete

Valid = 'Yes'
CleanedUp = 'No'
Derived Role = 'complete'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Number of users referencing it = 28
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Youtube education: Disabled
 Web Content Classification: Enabled
 ACL Number = 75/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                 Type     Location
--------  ----                 ----     --------
1         global-sacl          session  
2         apprf-complete-sacl  session  
3         allowall             session  

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-complete-sacl
-------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
allowall
--------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          any                   permit                           Low                                                           4        
2         any     any          any-v6                permit                           Low                                                           6        

Expired Policies (due to time constraints) = 0
Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: Controller claims certificate CN for its own?

What's the output of "show datapath fqdn"?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Controller claims certificate CN for its own?

host.domain.tld

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: Controller claims certificate CN for its own?

That's why. You shouldn't​ use shared certificates from the rest of your environment with the controller. Use a dedicated certificate with an appropriate common name for your controllers.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Controller claims certificate CN for its own?

ok, that's the current behaviour.. understood.

But can you explain why the controller would intercept DNS requests on an SSID where no role is configured to do so? Is there a good reason to do this?

It might be easier to except this truth if I understand the why of it :)

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite

Re: Controller claims certificate CN for its own?

Because the controller will take the CN and add it as the redirect address in the controller when you import it.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: