Security

Reply
Occasional Contributor II

Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

Hi !

I have an aruba3200 controller with 30 aps.

I'm running fw 6.3.1.4

I have my wlan authehticated against a radius server (MS-NPS), which offers and checks the certificates.

it is configured using eap-peap.

i do not use termination on the controller.

in between there are moments when the clients are shown a certificate "securelogin.arubanetworks.com"

(best seen on my iphone).

how can this be or are there any hints where i can hava a look why this happens ?

does not make any sense to me, because this cert is ony used für captive-portal (guest access) or the web-gui...

 

regards,

Martin

Aruba

Re: Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

The only way you'd see that certificate is if terminatino is enabled (which you say isn't) or if the NPS server is using that same certificate (unlikely).

 

When do the clients see this?  Is it on connection or at some other point in their connection?

 

To confirm , if you "forget this network" on an iPhone and reocnnect to the network, what certifcate is shown?    I'd also verify that all your AAA profiles are using dot1x profiles that have termination disabled.  Sometimes customers will have different profiles for different usages and not realize they are being used in portions of the building.

 

show aaa authentication dot1x

review the "references" column

show references aaa authentication dot1x [nameofprofile]

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II

Re: Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

they see in sometimes in their connection.

i had this today when my mail client wanted to connect to outlook.com (are connections proxied ?)

and a colleague of mine had this with his macbook that would not connect to the wlan because the wrong (untrusted) certificate was shown...

 

all our aaa profiles have termination disabled...

 

that's why i'm so irritated...

i just cannot get it...

Guru Elite

Re: Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

Are you only using a single VLAN or multiple VLANs (pooling) for that 802.1x SSID?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

i have 4 SSIDs

 

w0. -> guest(VLAN 10)

w1. -> EAP-PEAP (VLAN 1)

w2. -> PSK (VLAN 1)

w3. -> EAP-CHAP(VLAN 1)

Guru Elite

Re: Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

Which wlan does the problem occur on...only the eap-peap wlan?


It is important that you record the role that the user is in when he has the issue. You should also turn on user debugging so that we can see what led to the issue.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

The problems occur on the EAP-PEAP and EAP-CHAP SSIDs (not on PSK and guest)

Guru Elite

Re: Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

Thank you.

User debugging will allow you to possibly track this down. Do you use NPS for both wlans with the issue? Are you using any type of server or user derivation rules?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Super Contributor II

Re: Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

could it be possible that the clients are temporarily connecting to the guest WLAN prior to attempting 802.1x connection. this would present the captive portal certificate to the users in applications such as exchange where ssl is used.

 

maybe try changing the ordering of preferences of the WLAN profiiles on the client.

 

scott

Occasional Contributor II

Re: Radius-EAP-based WLAN sometimes shows the securelogin.arubanetworks.com certificate

Hi !

We are using NPS for both wlans with this issue, BUT the NPS does not know nor has ever seen the securelogin.arubanetworks.com certificate.

We use user-derivation rules only in the guest wlan, but we use roles on the other wlan that change after authorization.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: