Wireless Access

Reply
Occasional Contributor I

Captive Portal Certificate change, stuck after (succesfully) uploading cert

Hi there,

I've gone through several topics and keep looping back to the same How-To topics, followed all the steps, but i'm kind of stuck in changing the certificate for our guest network login. 

We have 6 "apin0103" access points, and manage them via VC. 
I've created a certificate, converted everything to pem, and combined certificate, bundle and key in a single file as instructed.

In the VC web UI, i've gone to Maintanance, Certificates, Upload New Certificate.

I've selected "Captive Portal" as the certiicate type, "PAM (.pem..." as the certificate format, browsed to the combined file mentioned above, entered the key's passphrase and clicked "Upload Certificate". 

After a few seconds, i'm greeted with a success message telling me the certificate has been successfully added.

And that's where i'm stuck. As far as i understood, the hostname used for Captive Portal logins should be taken from the new certificate. However, when trying to connect to the network involved, i'm still greeted with the untrusted splash page on the default host (securelogin.arubanetworks.com). 

What am i missing here? I've browsed around the VC's UI and see no means to actually select a certificate for the internal Captive Portal anywhere...

I also don't see the added certificate anywhere. The Maintenance -> Certificates tab has a textarea that only displays the two default certificates that were already there before i (apparently succesfully) uploaded our own certificate.

Any help would be greatly appreciated. 

Thanks. 

Re: Captive Portal Certificate change, stuck after (succesfully) uploading cert

Hi Miel,

 

Please share the output for the following command:

 

show captive-portal-domains

show version

 

Please check the output for "show cert all" on the CLI to check if the uploaded certificate is listed .

 

Was this a wildcard certificate or one with FQDN?

Occasional Contributor I

Re: Captive Portal Certificate change, stuck after (succesfully) uploading cert

Hi, here's the output of the listed commands.

It seems the whole certificate upload from the Instant UI (although confirmed as being successfull) did not do much:

 

BM_ap_06# show captive-portal-domains

 

Internal Captive Portal Domain:

securelogin.arubanetworks.com

 

External Captive Portal Domains:

localhost

 

 

BM_ap_06# show version

Aruba Operating System Software.

ArubaOS (MODEL: 103), Version 6.4.0.2-4.1.0.0

Website: http://www.arubanetworks.com

Copyright (c) 2002-2014, Aruba Networks, Inc.

Compiled on 2014-05-29 at 18:21:55 PDT (build 44004) by p4build

 

AP uptime is 14 weeks 2 days 7 hours 42 minutes 37 seconds

Reboot Time and Cause: unknown

BM_ap_06# show cert all

 

Default Server Certificate:

Version       :3

Serial Number :01:DA:52

Issuer        :C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA

Subject       :0x05=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF, C=US, O=securelogin.arubanetworks.com, OU=GT28470348, OU=See www.geotrust.com/resources/cps (c)11, OU=Domain Control Validated - QuickSSL(R) Premium, CN=securelogin.arubanetworks.com

Issued On     :2011-05-11 01:22:10

Expires On    :2017-08-11 04:40:59

Signed Using  :SHA1

RSA Key size  :2048 bits

 

Default CP Server Certificate:

Version       :3

Serial Number :01:DA:52

Issuer        :C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA

Subject       :0x05=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF, C=US, O=securelogin.arubanetworks.com, OU=GT28470348, OU=See www.geotrust.com/resources/cps (c)11, OU=Domain Control Validated - QuickSSL(R) Premium, CN=securelogin.arubanetworks.com

Issued On     :2011-05-11 01:22:10

Expires On    :2017-08-11 04:40:59

Signed Using  :SHA1

RSA Key size  :2048 bits

 

BM_ap_06#

Re: Captive Portal Certificate change, stuck after (succesfully) uploading cert

Hi Miel,

 

Is it possible to upgrade to IAP to latest firmware & then try uploading certificate?

 

Are you using a wildcard certificate or one with FQDN ?

Occasional Contributor I

Re: Captive Portal Certificate change, stuck after (succesfully) uploading cert

FQDN, sorry missed that in my earlier response.

I'll have a look at upgrading the firmware, will report back.

Occasional Contributor I

Re: Captive Portal Certificate change, stuck after (succesfully) uploading cert

Am i correct in assuming a valid support contract is required in order to download/get firmware updates?

I reckon we don't have one, but i'll scan some former colleagues' mailboxes later today to see if anything pops up

Guru Elite

Re: Captive Portal Certificate change, stuck after (succesfully) uploading cert

A Valid Service contract is required for access to ALL firmware.  The limited lifetime warranty provides access to all of the firmware here:  

http://support.arubanetworks.com/LifetimeWarrantySoftware/tabid/121/DMXModule/661/Default.aspx?EntryId=20388

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Occasional Contributor I

Re: Captive Portal Certificate change, stuck after (succesfully) uploading cert

Thanks Joseph, i was successfully able to upgrade all our APs to the latest firmware in the link you sent.

 

Once all APs rebooted, i did have some trouble finding the one that was designated as being master, but after a few probes on the known AP IPs, i did get the correct overview of all APs in the virtual controller, yay!

Additionally, the firmware upgrade unveiled the certificate i had uploaded earlier, and upon trying the guest network from my local machine, i was indeed greeted with a splash screen on the new hostname (the one used as CN in the certificate).

One issue remains: i used to be able to connect to the Virtual Controller via instant.arubanetworks.com:4343, but am no longer able to (have to use the IP). 

Any hints as to where to configure that correctly? 
And even better: is there any way to set that hostname to (a) something different and (b) with a valid certificate? 

Thanks again!

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: