Wireless Access

Reply
Occasional Contributor II

Certificates for clearpass platform and controller or IAP

Hello to the whole community, the next topic is to make known due to the little information we find in relation to the conversion and implementation of captive portal certificates with clearpass or with any type of captive portal that we wish to perform with an AP Aruba, this, due to a problem in the Aruba Network platform with respect to the native SSL certificate in all its products called CN = SECURELOGIN.ARUBANETWORK.COM, the certificates must be replaced to the communication equipment that wishes to do for its functions a validation in some public certifying unit. This, because the certifying units have revoked this certificate definitively from their platforms. For this we must acquire the necessary certificates to launch the ClearPass platform with IAP Cluster. We must follow the following steps:

 

1. Two (02) public SSL certificates are required with their respective PrivateKey (These certificates must be validated against the public domain of the company).

 

• A certificate for the Clearpass platform.
• A certificate for the IAP clusters.


• In ClearPass Policy Manager
The .csr code must be generated in ClearPass:
in the browser http: //(Ip of ClearPass or FQDN)> ClearPass Policy Manager> Credentials: user "admin" password "eTIPS123"> Administration> Certificate> Certificate Store> Create Certaficate Signing Request> The data must be filled mainly "Common Name" "Organization" "Location" "State" "Country" "Pkey Password" "Verify PKey Password" the Pkey and its verification must be saved and delivered to later upload the certificate and the conversion from .P12 to .PEM made by the team installation of the platform. This conversion will be done via open SSL.
This .CSR that ClearPass issues must be delivered to the certificate provider for the creation of the SSL certificate belonging to the ClearPass.


If you use Google Chrome you should be careful, because when you download the .csr you will get a status bar saying that there are 2 files to download. Give it to allow to download the private key and save the two files.


The certificate provider issues a validation code and automatically sends it to the email. When the validation of the certificates is done, the provider requests to add the code that was sent to the mail in the DNS of the hosting. After adding the code in the DNS of the hosting, when this makes the update you must enter a link sent to the email by the provider where these will validate the external DNS domain and allow the download of the required certificate. When downloading the certificates, you must choose the "other" option.


Note: The names of the certificates must be the same or similar to the name that is determined with the implementation that is being made. Eg, if in this case a ClearPass installation must be an FQDN cppm.mydomain.com, being, mydomain.com the domain of the company.

 

• For Cluster IAP
You must create a .CSR other than ClearPass on any .CSR generation page such as https://decoder.link/csr_generator and https://www.mydomain.com/products/ssl/tools/csr-create these generate two files that must be copied into a .txt that are the .csr and pkey. This .CSR that emits these generators must be delivered to the SSL certificate provider for the creation of the SSL certificate belonging to the IAP Cluster.


If it is done using Chrome you should be careful, because when you download the .csr you will get a bar saying that there are 2 files to download. Give it to allow to download the private key and save the two files.


The certificate provider issues a validation code and automatically sends it to the email. When the validation of the certificates is done, the provider requests to add the code that was sent to the mail in the DNS of the hosting. After adding the code in the DNS of the hosting, when this makes the update you must enter a link sent to the email by the provider where these will validate the external DNS domain and allow the download of the required certificate. When downloading the certificates, you must choose the "other" option.


The Pkey issued by the .CSR generators must be saved and delivered to the department responsible for the installation of the product, since it will be exchanged via OpenSSL with the Certificate issued by the SSL certificate provider.

 

Note: The names of the certificates must be the same or similar to the name that is determined with the implementation that is being made. Eg, if a ClearPass installation with IAP is being made in this case, it must be an FQDN ClusterIAP.mydomain.com, whereby, mydomain.com is the domain of the company.

 

2. Two (02) An A record or address (also known as a host record) must be created, which links a domain to the physical IP address of a computer that hosts the services of that domain. Said record must be created in the external Dns of the company with the names of the subdomains created.

 

Once the certificates have been obtained, for the generation of .PEM certificates for the IAP and Clearpass we must create a folder in Linux that contains the certificates issued by our SSL certificate provider (mycompany.com.crt and mycompany.com.key)

In console Linux

* mypc @ L460: ~ $ ls (this will show us the folders that are located where our lunux server is installed)
* Create a folder with the mkdir command with the name you prefer and place the certificates provided by the SSL certificate generator (.crt and .key)
* We enter the root with the sudo su command.
* root @ L406 / home / user # cd folder created in step number 2
* root @ L460 / home / user / my folder # openssl pkcs12 -export -in mycompany.com.crt - inkey mycompany.com.key - out mycompany.com.p12 (with this command you will generate a .p12 certificate inside of the folder created for the certificates)
* root @ L460 / home / user / my folder # openssl pkcs12 -in mycompany.com.p12 -nodes -pot mycompany.com.pem (finally with this command we generate the necessary .PEM certificate for our ARUBA Networks devices)

 

It only remains to look in our folder created the .PEM certificate and upload it to our IAP or Ariwave and assign the groups of devices that will use this certificate.

 

I hope this post will be of great help to those who are still looking for information regarding this.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: