Security

Hi all,

 

Due to the known issues with the securelogin.arubanetworks.com certificate I am trying to install my own certificate on to an IAP (in conjunction with clearpass at the back end).

However I am running in to some issues which I try to resolve as well as trying to understand things I discovered during my investigation.

 

- To start, I first tested using the default pre installed securelogin.arubanetworks.com cert.

To my surprise, it did no longer throw the revocation error.

Is this something that has been resolved?

But instead of the revocation error I did get a weak cipher error in chrome and firefox, IE9 did not seem to care and just continued.

(and the whole solution worked as designed, only with some annoying cert errors)

At this point I decided that it was still a good idea to continue installing my own cert (no weak cipher stuf, and putting myself in control of the cert stuff)

 

- So I installed my public signed wildcard certificate (*.mydomain.com), including the private key and root certs. And on clearpass I changed the address to "securelogin.mydomain.com"
When testing it showed me the clearpass guest page, I authenticated successfully. But it throw me a 'domain not found' error afterwards, when redirecting.

 

- Now I changed it to captiveportal-login.mydomain.com and gone has the "domain not found" error. Why is it that I need to use "captiveportal-login"?

 

- However, I'm still not there. When the guest portal authentication page pops up, I enter the correct credentials and after submitting I receive the portal authentication page again, with the following error message: "login error. please retry."

Clearpass access tracker shows: "application guest access - web login: accept", but no radius could be observed.

 

At the moment I'm out of ideas, please advise?

Have you seen this article? https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

Did you make any changes to your guest page ?
if you are using the wildcard cert then you need to use captiveportal-login.yourdomain but if is not a wildcard you should be able to use the secure login.yourdomain

When you create a guest self registration page by default it will perform a RADIUS authentication , there's a template available for guest or guest with Mac caching

Get Outlook for iOS

I managed to get this working.

It appeared the radius config dissapeared from the SSID after a reboot.

I added it again and all was working.

 

But one of  my questions remains, when using a wildcard cert.

Why does the redirect need to go to "captiveportal-login.mydomain.com"?

Because the broswer needs an FQDN to hit and with a wildcard, there isn't one.

Agreed, but why captiveportal-login.mydomain.com and not somethingelse.mydomain.com?

That's how the software is configured. Is there a concern?

No, I just wanted to know more about how it worked.

Yes I did follow that article.

Hi,, I have installed wildcard certificate in CPPM whereas in few location I haven't installed in NAD device.. will capitive portal page redirection happen or not .