Security

Reply
Contributor II

SSL Certificate to avoid security warning Message

Hello All,  I have 3 cisco controller  and clear pass guest system . We are planing to istall SSL certitificate to eliminate certificate warnng message and to have a professional user experiance . 

 

--What is the best approch instaling SSL certificate ?

--Do I need to  raise the CSR form  each controller and clear passguest seprately an upload  certificate ? or  certificate needed only    in clearpass ?

-- Can I use a wild card SSL certificate or need to buy seperate certificate ?

 

 

Please assist me with clarification .

Aruba Employee

Re: SSL Certificate to avoid security warning Message

There are no issues using a wildcard or one of the other multi domain certificates.  You would probably want to use local tools to generate your key and csr, and then upload the key, certificate, chain/root certificates on the appropriate page.

 

Also, since the client POSTs their credentials to the Cisco controllers as part of the login process, you do want that to be a secure channel.

 

FWIW, Aruba controllers default to a valid certificate when using securelogin.arubanetworks.com as the NAS address.  A custom certificate is only needed when you want to see your hostname throughout.

 

Contributor II

Re: SSL Certificate to avoid security warning Message

Can you please double check whether wildcard certificate will do the job ?. I talk to Aruba TAC today they suggested me to go for  standard SSL certificate as the Amigopod hostname and controllers hostname should match , wildcard certificate will not make this .

Aruba Employee

Re: SSL Certificate to avoid security warning Message

There are no technical problems with wildcard certificates.  On the controller side, it normally will detect the hostname out of the certificate and use that for itself.  In the case of a wildcard, since there is no hostname, it always uses captiveportal.yourdomain.tld.  You will need this when setting up the NAS area of the web login or self-registration.

 

I do not know what context your statement the Amigopod hostname and controller hostname should match.  For obvious reasons the hostnames must be different.

 

What you do need to make sure is that your DNS infrastructure will return the correct address for your Amigopod hostname.  Since the controller is inline to the guests, it can trick itself and mask DNS problems.  But Amigopod needs to be addressable. 

 

 

 

Frequent Contributor I

Re: SSL Certificate to avoid security warning Message

I know its been two weeks since an update on this, but I thought I'd comment as I have a similar setup.

 

We have 3 Cisco Controllers, and 1 recently installed Aruba, all using Clearpass/Amigopod for guest.  

 

Regarding Wildcard certificates, I can confirm that they work on Amigopod/Clearpass.  

I can also confirm that I had absolutely no Luck whatsoever, getting wildcard certificates to work on the Cisco Controllers at all.   I did not attempt on the Aruba Controller.

 

In my setup, the Cisco Controllers all use the same certificate, and I purchased a seperate certificate for the Aruba Controller.  Just make sure on both setups that you go through the steps to combine the Purchased Cert and the Intermediate Certificates into the same file and you should be fine.  There is some pretty good documentation out there for doing this.

 

Also make sure you do what "gbenedict" suggested regarding DNS and the resolving of the names. and you should be good.

 

No Certificate issues here after doing all of that.  

Contributor II

Re: SSL Certificate to avoid security warning Message

Thanks Shawn , Can you pleasse share the document you refer for this .

Frequent Contributor I

Re: SSL Certificate to avoid security warning Message

Sorry, I wasn't really referring to any specific document.  I was referring to documentation regarding SSL Certificate generation and Combinations in general.  Not to give Props to Cisco, but this document (Also Attached):

 

http://www.cisco.com/image/gif/paws/109597/csr-chained-certificates-wlc-00.pdf

 

 

Gives a pretty good step by step setup for creating a CSR and then putting all the Chained certificates together into a single file that is compatible with multiple formats.  

 

I've had no troubles whatsoever, using these instructions to generate CSR and Chained certificates for multiple vendor devices.

Contributor II

Re: SSL Certificate to avoid security warning Message

Hello,

 

 

Thanks for your document . 

I generated CSR and contacted verisign for a third party CA signed certificate  . They said since my requirement is to secure a internal recourse(intranet) I cannot go for a normal SSL certificate instead go for MPKI(Managed PKI) solution . Please let me know which type of SSL certificate I should go for ?

 

 

 

Frequent Contributor I

Re: SSL Certificate to avoid security warning Message

Thats seems strange.  All mine are privately addressed devices and i was able to purchase Verisign Certificates without any issue.  I'm going to have to defer to someone else to answer this one.

 

Anyone have any ideas?

Aruba Employee

Re: SSL Certificate to avoid security warning Message

Well, this falls back to the DNS issue.  The IP address is the only thing that truly makes it an intranet hostname.  Do you own at least the true top level of the hostname you want?  i.e. acme.com in guest.intranet.acme.com.  We also have never seen anyone need anything more than a regular cert.  They need to verify the top level only.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: