Wireless Access

Reply
Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Aruba 7210 redirect to Clearpass Captive Portal

Hello,

So I have been getting reports of users getting a certificate error when trying to authenticate to our Guest Wireless.

 

We have a AP 105, 7210 Controller, Clearpass.

 

I have an individual certificate setup for the clearpass server.

 

I have our Wildcard cert setup for our controller (that we've created a DNS entry for) 

 

When I first log in to our guest wireless we get redirected properly with no issue. This sits on our Clearpass URL with our Clearpass cert. 

 

When I initiate the login, I see a redirect to the controller URL (showing our active wildcard) the controller is where I see the certificate error though. 

 

I added our wildcard using our full trust chain and have recieved the same results as far as I can tell. 

 

The message we see is that the 'server's certificate is not trusted' , however, it pulls up our current wildcard.  Looking at the certificate we see the message 'Windows does not have enough information to verify this certificate' 

 

Are we not able to use a wildcard in this instance since it is part of the authentication chain?

Is there a way to let all of the authorization happen on Clearpass?

 

Sorry if this is more of a clearpass issue, as far as I can tell it seems to point to the controller in this instance. 

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Aruba 7210 redirect to Clearpass Captive Portal

In your Weblogin in ClearPass, what do you have for the address...the wildcard?

 

 

weblogin.png



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Aruba 7210 redirect to Clearpass Captive Portal

I have my controller's URL.

 

"aruba-controller.neumont.edu"

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Aruba 7210 redirect to Clearpass Captive Portal

Attach a device to any wlan that is on that controller and try to ping that address to see what you get.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Aruba 7210 redirect to Clearpass Captive Portal

ping my controller URL?

 

I get replies from my Controller's IP. 

 

If I browse to my controller URL I get the trusted webpage for the controller using my wildcard. 

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Aruba 7210 redirect to Clearpass Captive Portal

Your post mentioned that you are getting reports...does this mean it is sporadic or every time?  Later you mention you have the issue.  What URL appears in the browser bar hen you have this problem?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Aruba 7210 redirect to Clearpass Captive Portal

We didn't realize it was a problem because we had accepted the certificate on other computers. And we don't have a huge population of people on our Guest Network. 

 

I have a computer that I can re-create the issue with every time now. 

 

It happens on the URL aruba-controller.neumont.edu, when I view the certificate it shows my wildcard, but it gives the certificate error mentioned above. 

 

 

When I first connect to our Guest network, I get redirected to our clearpass page. (clearpass.neumont.edu) then when I log in, it redirects to the controller URL. 

 

 

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Aruba 7210 redirect to Clearpass Captive Portal

[ Edited ]

Before importing the controller certificate into the controller, you probably needed to concatenate the intermediate certificate as well before importing.  I am attaching a slide from a colleague's presentation to show you how.  

 

1.  Open the intermediate CA cert that the CA gives you with a text editor

2.  Open the server cert that the CA gave you in a text editor

3.  Paste the intermediate CA cert material under the server cert material like the diagram below.

4.  Save the resulting file as server.cer

5.  Open the file in Windows to see if you can see the server cert as well as the CA cert.

6.  If it looks good, you can import the resulting server.cer file into the controller and see if you still have issues.

intermediate.png

 

 

This is assuming that when you open up the controller's server certificate in the browser lock key that you only see the server cert and not the CA cert.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 195
Registered: ‎02-10-2014

Re: Aruba 7210 redirect to Clearpass Captive Portal

I put the Server cert, Intermidiate CA, and full trust chain in the cert that is currently there.

 

 

Why would I have no problem with the cert when I just browse to aruba-controller.neumont.edu but have a problem when I am being redirected by clearpass?

Guru Elite
Posts: 20,993
Registered: ‎03-29-2007

Re: Aruba 7210 redirect to Clearpass Captive Portal

Open the lock in the browser and see what the cert says.  Does it have the CA and does it match the CA you imported and that you trust on your device?  There is probably a whole lot more to this that I do not know, so feel free to open a case so that they can get all the details and resolve.  I am only responding to the information you are giving me.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: