Security

I've been searching for answers, but finally I have to post. Sorry for adding to the Captive Portal noise... :-)

 

My Clearpass and controller are both using valid public certs.

I've enabled a redirect in my captive portal profile to https://clearpassaddress/guest/guestpage.php

 

When a client connects to the guest network, it does get redirected, but the browswer gets a certificate warning. Upon examination, the browser is being presented with the controller's certificate.

 

I am browsing to an http only site. Shouldn't the redirect from the controller just send the browser to the new site (clearpass guest) and the browser would get the clearpass cert?

 

Thanks.

 

If the client is attempting to hit an HTTPS prior to redirect, they will get a certificate error. There's nothing that can be done about this unfortunately in a browser.

 

The device should generally be using a captive portal browser so you shouldn't see this issue.

 

 

 

I'm trying to browse to an http only site. I'm seeing the same problem on Windows, ipad, and Android.

I've read some of the excellent blog posts that describe how the browser is essentially doing a MITM attack, and how a cert error will appear if https traffic is involved.

 

In my case the user gets redirected to clearpass.mydomain.com

But the certificate reads controller.mydomain.com, which naturally throws up an error.

 

Maybe I don't understand the process well enough, but why does the browser get 'hung up' on the controller cert, and not get the clearpass cert?

 

 

What is the site you're trying to browse to?

 

Also, you should be getting the captive network assistant / behavior on the device.

I'm trying to browse to www.weather.gov.

I got the captive assist on an Android, but not on an ipad. I'm wondering if I could have shut it off on the ipad? I can't find a setting for that.

 

Can you tell me if what I'm seeing is normal? Should the browser be presented with the controller's cert, even though it's trying to connect to Clearpass?

 

My bad...

Access list problem.

I added a second Clearpass box and VIP since the initial configuration of that captive portal setup.

I added the VIP and new clearpass box to the ACL of the role, and it's working fine.

Thanks for helping.

Hi Tim - I was searching for the issue I'm having and came across this response. I have a valid pub cert installed on my clearpass box and my aruba wlc. I had my wireless lab working where Google Chrome browsers would show me a message along the lines of "the wifi you're trying to use requires you to go to their login page" when users would attempt to reach an https page prior to redirect.  But now it looks like I'm back to chrome users getting the "Your connection is not private".  Per TAC the valid certs should releive the "your connection is private" issue and I thought it did for a little bit, but from you're experience this was never the case?  I hope this made some kind of sense :)

If you’re trying to navigate to an HTTPS site during captive portal redirection state, you’ll always receive a certificate error, regardless of your certificate configuration.

All modern operating systems have captive portal detection mechanisms to avoid this. If you’re not seeing either the captive portal mini browser or the default browser opening and attempting an HTTP page, then there is a configuration error somewhere.

If you’re trying to navigate to an HTTPS site during captive portal redirection state, you’ll always receive a certificate error, regardless of your certificate configuration.

All modern operating systems have captive portal detection mechanisms to avoid this. If you’re not seeing either the captive portal mini browser or the default browser opening and attempting an HTTP page, then there is a configuration error somewhere.