05-02-2014 01:22 PM
I am finally getting around to looking at the certificates loaded on the our Aruba 3200 Controller. It is running the default one that comes loaded out of the box.
I'd like to correct a certificate error our guest users get after they auth. against our captive portal.
We have the option to pop up the logout window enabled which opens a small window with a URL that points directly to our controller (https://aruba-master.<our domain>.com/cgi-bin/login)
Do the Aruba controllers work okay with wildcard certificates?
And I want to confirm whether or not I should be loading the certificate chain for our commerical wildcard cert or not (if they are supported)?
I found this post which seems to suggest we might have issues with a wildcard cert on the controller as well.
I guess we can always just disable the pop up as well since most browsers block pop ups by default anyway.
05-02-2014 01:57 PM
Your controller will work fine with a wildcard certificate IF you are NOT using it for EAP Termination. If you have an external radius server and that has a server certificate, you should have no issues putting a wildcard server certificate on your Aruba controller.
What will change is that since your Captive Portal does not have a hostname, it has a *, the controller redirect will look like "https://captiveportal-login.domain.com". So that means if you develop a custom page for Captive Portal in the controller or ClearPass, you will need to reference the controller using captiveportal-login.domain.com. You can sidestep this by installing a server certificate with a "real" fqdn, instead of a wildcard certificate.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
05-05-2014 01:47 PM
Sorry for my late reply.
Thank you cjoseph for the explanation.
We are currently not using the Controller for EAP Termination.
The EAP Termination is being handled by our CPPM.
I think I understand your second comment.
It brings some questions to mind about where certain information is pulled from while a guest user is logging in. I might have to do some testing to make sure I understand it fully.
I apologize I do not have more knowledge.
Now that I know some of the pitfalls to using a wildcard cert on the controller we can start to plan a little better and of course test everything!
Thank you once again cjoesph for your knowledge!