Security

Reply
Occasional Contributor I
Posts: 7
Registered: ‎04-15-2016

IAP and Clearpass certificate installation

Hi all,

 

Due to the known issues with the securelogin.arubanetworks.com certificate I am trying to install my own certificate on to an IAP (in conjunction with clearpass at the back end).

However I am running in to some issues which I try to resolve as well as trying to understand things I discovered during my investigation.

 

- To start, I first tested using the default pre installed securelogin.arubanetworks.com cert.

To my surprise, it did no longer throw the revocation error.

Is this something that has been resolved?

But instead of the revocation error I did get a weak cipher error in chrome and firefox, IE9 did not seem to care and just continued.

(and the whole solution worked as designed, only with some annoying cert errors)

At this point I decided that it was still a good idea to continue installing my own cert (no weak cipher stuf, and putting myself in control of the cert stuff)

 

- So I installed my public signed wildcard certificate (*.mydomain.com), including the private key and root certs. And on clearpass I changed the address to "securelogin.mydomain.com"
When testing it showed me the clearpass guest page, I authenticated successfully. But it throw me a 'domain not found' error afterwards, when redirecting.

 

- Now I changed it to captiveportal-login.mydomain.com and gone has the "domain not found" error. Why is it that I need to use "captiveportal-login"?

 

- However, I'm still not there. When the guest portal authentication page pops up, I enter the correct credentials and after submitting I receive the portal authentication page again, with the following error message: "login error. please retry."

Clearpass access tracker shows: "application guest access - web login: accept", but no radius could be observed.

 

At the moment I'm out of ideas, please advise?

New Contributor
Posts: 3
Registered: ‎12-21-2016

Re: IAP and Clearpass certificate installation

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: IAP and Clearpass certificate installation

Did you make any changes to your guest page ?
if you are using the wildcard cert then you need to use captiveportal-login.yourdomain but if is not a wildcard you should be able to use the secure login.yourdomain

When you create a guest self registration page by default it will perform a RADIUS authentication , there's a template available for guest or guest with Mac caching

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I
Posts: 7
Registered: ‎04-15-2016

Re: IAP and Clearpass certificate installation

Yes I did follow that article.

Occasional Contributor I
Posts: 7
Registered: ‎04-15-2016

Re: IAP and Clearpass certificate installation

I managed to get this working.

It appeared the radius config dissapeared from the SSID after a reboot.

I added it again and all was working.

 

But one of  my questions remains, when using a wildcard cert.

Why does the redirect need to go to "captiveportal-login.mydomain.com"?

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: IAP and Clearpass certificate installation

Because the broswer needs an FQDN to hit and with a wildcard, there isn't one.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 7
Registered: ‎04-15-2016

Re: IAP and Clearpass certificate installation

Agreed, but why captiveportal-login.mydomain.com and not somethingelse.mydomain.com?

Guru Elite
Posts: 8,754
Registered: ‎09-08-2010

Re: IAP and Clearpass certificate installation

That's how the software is configured. Is there a concern?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 7
Registered: ‎04-15-2016

Re: IAP and Clearpass certificate installation

No, I just wanted to know more about how it worked.

Search Airheads
Showing results for 
Search instead for 
Did you mean: