Wireless Access

I am trying to get HTTPS captive portal working between clearpass and the 7210 controller that we have.  I have public certs on both CPPM and the controller and the CPPM server can be discovered via DNS from the outside.  I am getting an error showing that the certificate being served up by the controller is not matching the cppm certificate.  This seems like you would have to either use a *.domain.com cert for both pieces of hardware, or you would have to have the ability to serve up the cppm cert from the controller.  

The pictures show the process of connecting when HTTPS in enabled.  They are in order of process on the mobile device.  Any assistance would be helpful. 

With the white marks over stuff, it’s very hard to troubleshoot.

cppm.stcu.org is the host name for the clearpass server.  

aruba.stcu.org is the host name for the controller.  

Wasn't going to share the certificate information with the web though...

 

Edit: just realized some details are visible in the last screenshot.

GoDaddy.

If you are using a single host certificate, double check your ClearPass web server certificate, that it exactly matches the Common Name (CN) of your GoDaddy certifiacte (cppm.stcu.org).

 

In one of your screenshots it appears like you are browsing/redirecting to https://cppm..../guest but the certificate viewer shows aruba..... from DigiCert.

 

Have you correctly applied the GoDaddy certificate as web-server certificate on your ClearPass server? And not perhaps your controller certificate?

I have validated that I did get the correct CN name (cppm.stcu.org).  

 

The certificate for aruba.stcu.org (from the controller) is getting presented when the user is redirected to the captive portal. That aruba.stcu.org is only present on the controller. 

 

I was thinking that if I can upload the cppm.stcu.org certificate to the controller and use that only for the captive portal server certificate, that this would resolved the issue?

 

Thought the issue with that is I can't upload that certificate as a server cert becuase the CSR is not going to match and the controller yells at me each time I try that:

Can you share your L3 captive portal profile and guest logon role configuration on your controller?

 

You only need the GoDaddy certificate on CPPM itself, not on the controller.

The dst-nat with the IP address is a test that we were trying based on a blog post that we ran into. Haven't been able to test that yet though...

 

Your ClearPass HTTPS cert should have all of the FQDNs of all nodes in the cluster as well as the VIP’s FQDN as SubjectAltNames.

The controller captive portal certificate should have a generic common name (something like wifi-login.yourdomain.com). That CN needs to be configured in your Guest form.

You should not use the same certificate on both ClearPass and your network devices.

For the captive portal certificate, we have been using the https certificate and updating that name in the guest portal page.  Would you suggest getting a completely seperate certificate? 

 

Is there an up to date walkthrough that I can get?  This seems to be something that should be standard enough and widespread that a walkthrough could be made? 

Yes, the controller captive portal certificate should be different from ClearPass. You should use the same captive portal certificate across all of your controllers. Just use a generic common name though.

Have you reached out to your Aruba Partner?

I have actually logged a case, which isn't getting anywhere.  They said the certificate error was desired functionality...So I have escalated the ticket and will hopefully get some traction.  I did include the partner on the escalation. Would still be nice to have a run guide on setting this up as well...

Your rules definitely look odd, try reverting them back to basics and see if it works.

 

The 1st rule needs to allow traffic from the user to your ClearPass server(s). You can use netdestinations as you did, either for any type of traffic or HTTPS/HTTP only (btw you could consolidate this in your policy by using 'svc-web' instead).

 

The following rules trigger any HTTPS/HTTP connection from the client to do a dst-nat on port 8081/8080 which is the controllers internal webserver:

 

If your logon-role has a captive portal profile assigned, the controller will redirect the client to whatever you configured in the captive portal profile and not to the controller's own internal captive portal.

There is a bit older technote on AOS + Guest, which dicusses these basic workflows: https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/27453/1/AOS_GuestAcccess-AppNote.pdf

 

Those mechanisms are still valid, independent from the AOS version us use.

 

In terms of certificates please closely follow cappalli's recommendations and have two separate public signed certificates.

 

Use the whitelist feature in the captive portal profile instead of modifying ACLs…