Wireless Access

Reply
Frequent Contributor I

Captive-portal & certificate requirment

Hi All,

         In master-local setup  , if we configure master IP to display the captive portal page under L3 Authentication- captive-portal profile so that all the local controllers same captive portal page.

 

would like to clarify below

 

1) I hope the above requirement will work without any issues?

 

2)  can have FQDN only for master controller IP?

 

3) This will help to have only one certificate on the Master for captive portal and no need of any certificates on the local controllers?

 

 

Please clarify

Frequent Contributor I

Re: Captive-portal & certificate requirment

Guru Elite

Re: Captive-portal & certificate requirment


thanjavurubhavesh@gmail.com wrote:

Hi All,

         In master-local setup  , if we configure master IP to display the captive portal page under L3 Authentication- captive-portal profile so that all the local controllers same captive portal page.

 

would like to clarify below

 

1) I hope the above requirement will work without any issues?

 

2)  can have FQDN only for master controller IP?

 

3) This will help to have only one certificate on the Master for captive portal and no need of any certificates on the local controllers?

 

 

Please clarify


The most efficient way is to have the same certificate for every controller.  That way the same Captive Portal profile URL will apply to all controllers in your cluster.  The Captive Portal Profile URL only serves to intercept the initial request when a client opens the browser and the submit when they enter their credentials; it has no connection to the network hostname of each controller.  When you upload a certificate for the captive portal on a controller, the controller will intercept any DNS requests for the fqdn of the uploaded certificate and respond with the ip address of the controller to the client (it is securelogin.arubanetworks.com by default).  By default that ip address wil be controller's management ip address.  You can use the "ip cp-redirect-address" command on each controller if you need that controller to be something like the controller's ip address on the guest subnet.

 

Having the same certificate for each controller will only work if you create the CSR (Certificate Signing Request) outside of the controller, because creating a CSR on any controller only allows you to upload that specific certificate to that controller.  It is better to do the CSR offline and then upload the resulting certificate/CA combination to all controllers.

 

To specifically answer your questions:

1.  The requirement will work.

2.  There is no requirement for the fqdn to resolve to anything really, because the fqdn is only needed to intercept the client dns requests for opening the captive portal page and then submitting credentials.  You could potentially have an fqdn like wireless.domain.com that resolves to nothing in real life, but the controller will intercept DNS requests for https://wireless.domain.com/guest/welcome.html and respond with its own ip address.  That is what makes it work across multiple controllers.

3.  You will still need the same certificate on your masters and locals.

 

I hope that helps.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
ryh
Contributor II

Re: Captive-portal & certificate requirment

Colin,

 

This post is the clearest and most design-oriented post I have seen on the requirements and considerations for this whole process.  I think this should be the first thing that comes up when doing a search for anything in this topic, and maybe even placed at the beginning of the Guest section in the ArubaOS User Guide.

 

Would you spend a moment doing a similar recap for considerations in AOS 8.x with MM?  If there are any differences, such as when using ClearPass with clusters and which IP's are used there, that would be helpful to folks looking for guidance in an 8.x environment.

 

Thanks!

Guru Elite

Re: Captive-portal & certificate requirment

ryh,

 

Thanks for reminding me.

 

My advice above is specifically for controllers running 6.x with https certificates that would need to be installed on a controller in a basic multi-controller deployment without clearpass. 

 

Kevin_PM  above posted a link here:  https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Weblogin-NAS-Address-configuration-options-in-multi-controller/ta-p/275426 that details how to configure the ClearPass web server (not 802.1x server) to accomodate multiple controllers with the same certificate, wildcard certificates (recommended) or different certificates.

 

With regards to 8.x the same principles apply, but where you upload certificates and how you deliver them to the MDs (controllers) is what differs.

 

Others can post their experiences below in response, because nothing is absolute and everyone has a different and possibly more efficient way of configuring or looking at things.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: