Wireless Access

Hello,

So I have been getting reports of users getting a certificate error when trying to authenticate to our Guest Wireless.

We have a AP 105, 7210 Controller, Clearpass.

I have an individual certificate setup for the clearpass server.

I have our Wildcard cert setup for our controller (that we've created a DNS entry for) 

When I first log in to our guest wireless we get redirected properly with no issue. This sits on our Clearpass URL with our Clearpass cert. 

When I initiate the login, I see a redirect to the controller URL (showing our active wildcard) the controller is where I see the certificate error though. 

I added our wildcard using our full trust chain and have recieved the same results as far as I can tell. 

The message we see is that the 'server's certificate is not trusted' , however, it pulls up our current wildcard.  Looking at the certificate we see the message 'Windows does not have enough information to verify this certificate' 

Are we not able to use a wildcard in this instance since it is part of the authentication chain?

Is there a way to let all of the authorization happen on Clearpass?

Sorry if this is more of a clearpass issue, as far as I can tell it seems to point to the controller in this instance. 

In your Weblogin in ClearPass, what do you have for the address...the wildcard?

I have my controller's URL.

"aruba-controller.neumont.edu"

Attach a device to any wlan that is on that controller and try to ping that address to see what you get.

ping my controller URL?

I get replies from my Controller's IP. 

If I browse to my controller URL I get the trusted webpage for the controller using my wildcard. 

Your post mentioned that you are getting reports...does this mean it is sporadic or every time?  Later you mention you have the issue.  What URL appears in the browser bar hen you have this problem?

We didn't realize it was a problem because we had accepted the certificate on other computers. And we don't have a huge population of people on our Guest Network. 

I have a computer that I can re-create the issue with every time now. 

It happens on the URL aruba-controller.neumont.edu, when I view the certificate it shows my wildcard, but it gives the certificate error mentioned above. 

When I first connect to our Guest network, I get redirected to our clearpass page. (clearpass.neumont.edu) then when I log in, it redirects to the controller URL. 

Before importing the controller certificate into the controller, you probably needed to concatenate the intermediate certificate as well before importing.  I am attaching a slide from a colleague's presentation to show you how.  

1.  Open the intermediate CA cert that the CA gives you with a text editor

2.  Open the server cert that the CA gave you in a text editor

3.  Paste the intermediate CA cert material under the server cert material like the diagram below.

4.  Save the resulting file as server.cer

5.  Open the file in Windows to see if you can see the server cert as well as the CA cert.

6.  If it looks good, you can import the resulting server.cer file into the controller and see if you still have issues.

This is assuming that when you open up the controller's server certificate in the browser lock key that you only see the server cert and not the CA cert.

I put the Server cert, Intermidiate CA, and full trust chain in the cert that is currently there.

Why would I have no problem with the cert when I just browse to aruba-controller.neumont.edu but have a problem when I am being redirected by clearpass?

Open the lock in the browser and see what the cert says.  Does it have the CA and does it match the CA you imported and that you trust on your device?  There is probably a whole lot more to this that I do not know, so feel free to open a case so that they can get all the details and resolve.  I am only responding to the information you are giving me.

My problem was with the cert. I am apparently slow and didn't realize that when I was copy/pasting the certificate intermidiate, it was a pk7 format and not Certificate. Once I changed it out for the Certificate version, everything started working.