Security

Reply
Contributor I

Yes, another Captive Portal https question...

I've been searching for answers, but finally I have to post. Sorry for adding to the Captive Portal noise... :-)

 

My Clearpass and controller are both using valid public certs.

I've enabled a redirect in my captive portal profile to https://clearpassaddress/guest/guestpage.php

 

When a client connects to the guest network, it does get redirected, but the browswer gets a certificate warning. Upon examination, the browser is being presented with the controller's certificate.

 

I am browsing to an http only site. Shouldn't the redirect from the controller just send the browser to the new site (clearpass guest) and the browser would get the clearpass cert?

 

Thanks.

 

Guru Elite

Re: Yes, another Captive Portal https question...

If the client is attempting to hit an HTTPS prior to redirect, they will get a certificate error. There's nothing that can be done about this unfortunately in a browser.

 

The device should generally be using a captive portal browser so you shouldn't see this issue.

 

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Yes, another Captive Portal https question...

I'm trying to browse to an http only site. I'm seeing the same problem on Windows, ipad, and Android.

I've read some of the excellent blog posts that describe how the browser is essentially doing a MITM attack, and how a cert error will appear if https traffic is involved.

 

In my case the user gets redirected to clearpass.mydomain.com

But the certificate reads controller.mydomain.com, which naturally throws up an error.

 

Maybe I don't understand the process well enough, but why does the browser get 'hung up' on the controller cert, and not get the clearpass cert?

 

 

Guru Elite

Re: Yes, another Captive Portal https question...

What is the site you're trying to browse to?

 

Also, you should be getting the captive network assistant / behavior on the device.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: Yes, another Captive Portal https question...

I'm trying to browse to www.weather.gov.

I got the captive assist on an Android, but not on an ipad. I'm wondering if I could have shut it off on the ipad? I can't find a setting for that.

 

Can you tell me if what I'm seeing is normal? Should the browser be presented with the controller's cert, even though it's trying to connect to Clearpass?

 

Contributor I

Re: Yes, another Captive Portal https question...

My bad...

Access list problem.

I added a second Clearpass box and VIP since the initial configuration of that captive portal setup.

I added the VIP and new clearpass box to the ACL of the role, and it's working fine.

Thanks for helping.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: