09-24-2012 02:01 AM - edited 09-24-2012 02:02 AM
Hello All, I have 3 cisco controller and clear pass guest system . We are planing to istall SSL certitificate to eliminate certificate warnng message and to have a professional user experiance .
--What is the best approch instaling SSL certificate ?
--Do I need to raise the CSR form each controller and clear passguest seprately an upload certificate ? or certificate needed only in clearpass ?
-- Can I use a wild card SSL certificate or need to buy seperate certificate ?
Please assist me with clarification .
Solved! Go to Solution.
09-24-2012 08:04 AM
There are no issues using a wildcard or one of the other multi domain certificates. You would probably want to use local tools to generate your key and csr, and then upload the key, certificate, chain/root certificates on the appropriate page.
Also, since the client POSTs their credentials to the Cisco controllers as part of the login process, you do want that to be a secure channel.
FWIW, Aruba controllers default to a valid certificate when using securelogin.arubanetworks.com as the NAS address. A custom certificate is only needed when you want to see your hostname throughout.
09-24-2012 11:42 AM
Can you please double check whether wildcard certificate will do the job ?. I talk to Aruba TAC today they suggested me to go for standard SSL certificate as the Amigopod hostname and controllers hostname should match , wildcard certificate will not make this .
09-24-2012 12:06 PM
There are no technical problems with wildcard certificates. On the controller side, it normally will detect the hostname out of the certificate and use that for itself. In the case of a wildcard, since there is no hostname, it always uses captiveportal.yourdomain.tld. You will need this when setting up the NAS area of the web login or self-registration.
I do not know what context your statement the Amigopod hostname and controller hostname should match. For obvious reasons the hostnames must be different.
What you do need to make sure is that your DNS infrastructure will return the correct address for your Amigopod hostname. Since the controller is inline to the guests, it can trick itself and mask DNS problems. But Amigopod needs to be addressable.
10-05-2012 07:27 AM - edited 10-05-2012 07:29 AM
I know its been two weeks since an update on this, but I thought I'd comment as I have a similar setup.
We have 3 Cisco Controllers, and 1 recently installed Aruba, all using Clearpass/Amigopod for guest.
Regarding Wildcard certificates, I can confirm that they work on Amigopod/Clearpass.
I can also confirm that I had absolutely no Luck whatsoever, getting wildcard certificates to work on the Cisco Controllers at all. I did not attempt on the Aruba Controller.
In my setup, the Cisco Controllers all use the same certificate, and I purchased a seperate certificate for the Aruba Controller. Just make sure on both setups that you go through the steps to combine the Purchased Cert and the Intermediate Certificates into the same file and you should be fine. There is some pretty good documentation out there for doing this.
Also make sure you do what "gbenedict" suggested regarding DNS and the resolving of the names. and you should be good.
No Certificate issues here after doing all of that.
10-08-2012 08:43 AM - edited 10-08-2012 08:44 AM
Sorry, I wasn't really referring to any specific document. I was referring to documentation regarding SSL Certificate generation and Combinations in general. Not to give Props to Cisco, but this document (Also Attached):
Gives a pretty good step by step setup for creating a CSR and then putting all the Chained certificates together into a single file that is compatible with multiple formats.
I've had no troubles whatsoever, using these instructions to generate CSR and Chained certificates for multiple vendor devices.
10-10-2012 02:22 PM
Thanks for your document .
I generated CSR and contacted verisign for a third party CA signed certificate . They said since my requirement is to secure a internal recourse(intranet) I cannot go for a normal SSL certificate instead go for MPKI(Managed PKI) solution . Please let me know which type of SSL certificate I should go for ?
10-10-2012 02:26 PM
Thats seems strange. All mine are privately addressed devices and i was able to purchase Verisign Certificates without any issue. I'm going to have to defer to someone else to answer this one.
Anyone have any ideas?
10-10-2012 02:30 PM
Well, this falls back to the DNS issue. The IP address is the only thing that truly makes it an intranet hostname. Do you own at least the true top level of the hostname you want? i.e. acme.com in guest.intranet.acme.com. We also have never seen anyone need anything more than a regular cert. They need to verify the top level only.