Security

So I've got a setup with a couple Aruba controllers running a wildcard certificate with Clearpass to provide the guest portal.

After authenticating the users browser initiated the https form submit back to the controller to finish the logon.

This last redirect (back to the controllers) keeps using aruba.company.com.

This is the value I had set as the vendor ip/hostname of the controller in Clearpass and was the actual certificate used when there was only 1 controller. I have since changed that name in CPPM (and removed the old certificate on the controllers) to somethingelse.company.com however. On the controller CP profile the welcome page mentions just "/auth/welcome.html".

That aruba.company.com logon keeps working even though it resolves to a non-existing address so there's no major issue, but I would love to understand the reason why it doesn't take my new value of somethingelse.company.com.

Anyone got any clues?

Just to make sure I understand:

1- You have a regular certificate and not a wildcard certificate

2- Clearpass is being used as the external captive portal

3- Clients are being authenticated correctly and getting onto the internet

Question:

Where are you putting the value of "somethingelse.company.com"?  Are you putting it on the controller, or in clearpass and in what field?

1. clearpass cert is single SAN, controller cert is wildcard (2 controllers with same cert)

2. yes, clearpass as external portal

3. yes, so more a cosmetic issue than anything else but I want to understand why this is happening

Question:

Where are you putting the value of "somethingelse.company.com"?  Are you putting it on the controller, or in clearpass and in what field?

Clearpass side

That would only be used if the guest is using the automatic login as part of the workflow.  Is that how you have it configured?

Yes, after sponsor confirmation the guest only needs to click the ok button and everything is done for him.

Before the guest clicks on "Login", I would "view source" in the browser to see what is there.

A whole lot of javascript but nowhere any reference of the aruba. url or even the controller. url.

The ip address of the controller I do find as the value of a hidden input field.

But then again, where does it get the aruba.company.com part from?  :/

It gets the post from that fqdn, IF you have it in the right place.  Hopefully you do not have more than one guest registration page and you are not referring to the wrong one.  Someone needs to look over all of your settings to make sure you have everything in place.

ouch..  I'm not going to admit how right you are with that last comment... ever! :)

...ever...

And to at least answer my own question is this otherwise useless topic:

controller.company.com -> does not resolve = NOK

serverdecomisioned.company.com  -> resolves to 1.1.1.1 (non-excisting) = OK

hostx.company.com -> resolves to unrelated host = OK

clearpass.company.com -> resoloves to CPPM ip = NOK, redirects to mgmt interface CPPM

captiveportal-login.company.com -> does not resolve = OK  (see http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199)

So basically ANYTHING that resolves works fine even if it resolves to some imaginary ip address but with captiveportal-login it doesn't even need to resolve.  Go figure.