Security

Reply
Contributor I
Posts: 29
Registered: ‎09-19-2016

Securelogin signed by unknown authority

I am sure this must be covered by someone by now, but I haven't found anything to this specific issue as of yet.

I have a guest captive portal setup on clearpass guest. I am using A Master/Local setup at my datacenter using 7210/7240 running 6.5.0.3

When connecting to the guest SSID, users are redirected to the web login page that is covered by a wildcard company cert. Upon clicking login it looks like they are directed to the controller using securelogin.arubanetworks.com certificate.

The devices show that this is an unknown authority. How can this be solved? This is guest, so I am not able to push out the cert to trust it as I don't own the devices.
Displaying Screen Shot 2016-12-13 at 11.04.53 AM.png

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Securelogin signed by unknown authority

You need to acquire a publicly signed certificate.



https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Defaul
t-Certificate-Revocation-FAQ-Controllers/ta-p/275809

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Securelogin signed by unknown authority

[ Edited ]

You have to purchase a captive portal certificate for the controller as well as clearpass, if you don't want the "unknown authority" message.  

 

The Aruba Controller used to come with a valid certificate issued by geotrust.  That certificate has been compromised and revoked by geotrust, so it is not provided any longer.  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

 

  As of 6.5.0.1, the controller now comes with a self-signed certificate that nobody trusts, because, it is self-signed.  Users must, just like every other platform, purchase a public certificate so that users connecting to their captive portal do not get the "unknown authority" message.  Please also see the certificates 101 document on the ClearPass documentation Site here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_ViewDetails/Default.aspx?EntryId=13734



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 29
Registered: ‎09-19-2016

Re: Securelogin signed by unknown authority

[ Edited ]

Without having read through the post you linked yet, can it be a wildcard for this case? I do have a wildcard that I'm using on the clearpass server, I can put that on the controller.

And this leads the follow up question. I was of the understanding that if I change the "securelogin" address on the weblogin page, it will be controller specific and I'll need a new page for each controller, is that accurate?

 

Unfortunately I am unable to access the cert 101 document as I do not have an account on support.arubanetwork, they required me to have an account on the hpe website instead. 

Guru Elite
Posts: 20,995
Registered: ‎03-29-2007

Re: Securelogin signed by unknown authority

[ Edited ]

You can use a wildcard certificate for the controller

You should NOT reuse the one that is already on the clearpass server.  Why?  Because the controller actively intercepts dns traffic  "captiveportal-login.wildcarddomain.com" and redirects it to the controller.  It must be kept separate.

 

If you use a wildcard certificate on the controller, please see the article here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-configure-ClearPass-Guest-Amigopod-web-login-when-using/ta-p/176438 on how to configure ClearPass to support it.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: