Wireless Access

Can  I use self signed certificate for this issue?

How can I upload it to the controller?

Thanksfor the answers

Hi,

 

Does client throwing this error message when trying to access the captival portal page?

If  the HTTPS server certificate is a self signed cert and you are using chrome/firefox browser then it is expected behaviour.Self signed cert is not trusted by this browsers and will cause HSTS issue. Have you tried with safari and checked?


Regards,

Pavan

If my post address your query give kudos:)

You need to have a publicly CA signed certificate for HTTPs in ClearPass.

 

HSTS and self-signed certificates are not really related. If you try to navigate to an HTTPS website that is using HSTS, you will always receive the error. The certificate configuration on ClearPass has nothing to do with that.

HI tim,

So the only solution for the issue that im encountering is to buy a public certificate? My client doesnt want to purchase anything. What are your recommendations

If you want to secure the guest registration process, a certificate is required. You can get one for as low as $4.99.

These requirements should be discussed during the design process.

So there is no free option that will not give us certificate error?

Not in a secure way, no. Certificates are a core component of security on the internet.

what are thefree options so that i can also discuss it to them. Thanks

free = use http instead of https

Which is an awful idea…

But palo alto firewall I think is forcing the user to use hsts I think I forgot to mention

If you are really seeing HSTS messages, it is likely that this is not because of the captive-portal certificate, but because the initial redirect is done on HTTPS traffic to a site that uses HSTS.

 

Unfortunately installing a trusted certificate on ClearPass and the controller/instant does not solve that, it is how HSTS is designed. You can only 'fix' the HSTS error by not making the redirect to happen for HTTPS traffic.

 

Check this post http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921 on some more in-depth explanation and possible workarounds.

 

Regardless the redirect, you will need a certificate on both ClearPass (or external captive portal server) and on the controller/IAP in order to prevent certificate warnings during the captive portal authentication.

 

If you want to go the 'free' way for certificates, you can check out Letsencrypt (https://letsencrypt.org/) which has some inconvenience if your systems are not exposed to the internet (which is for controllers/ClearPass mostly the case), combined with the fact that the certificates are only valid for 90 days. I would personally spend those few dollars and get a certificate from a commercial CA; you can get a 3-year cert for $15, and you need two of them (ClearPass + Controller/IAP). Can't look in your wallet, but the time you spend on renewing every 90 days is probably more expensive than just purchasing a commercial cert.

 

Hi@all

Is there a solution for iAP and Aruba Central?
I can not adjust the rule there, but I have the same problem with guest access (redirect)

Please create a new thread with details about your specific issue. This one is almost a year old.

Which is an awful idea…

Not in a secure way, no. Certificates are a core component of security on the internet.

If you want to secure the guest registration process, a certificate is required. You can get one for as low as $4.99.

These requirements should be discussed during the design process.