Wireless Access

Reply
Occasional Contributor II

HTTPS Captive Portal

I am trying to get HTTPS captive portal working between clearpass and the 7210 controller that we have.  I have public certs on both CPPM and the controller and the CPPM server can be discovered via DNS from the outside.  I am getting an error showing that the certificate being served up by the controller is not matching the cppm certificate.  This seems like you would have to either use a *.domain.com cert for both pieces of hardware, or you would have to have the ability to serve up the cppm cert from the controller.  

The pictures show the process of connecting when HTTPS in enabled.  They are in order of process on the mobile device.  Any assistance would be helpful. 1.jpg2.jpg4.jpg5.jpg6.jpg7.jpg

Guru Elite

Re: HTTPS Captive Portal

With the white marks over stuff, it’s very hard to troubleshoot.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: HTTPS Captive Portal

cppm.stcu.org is the host name for the clearpass server.  

aruba.stcu.org is the host name for the controller.  

Wasn't going to share the certificate information with the web though...

 

Aruba Employee

Re: HTTPS Captive Portal

Edit: just realized some details are visible in the last screenshot.

Occasional Contributor II

Re: HTTPS Captive Portal

GoDaddy.

Aruba Employee

Re: HTTPS Captive Portal

If you are using a single host certificate, double check your ClearPass web server certificate, that it exactly matches the Common Name (CN) of your GoDaddy certifiacte (cppm.stcu.org).

 

In one of your screenshots it appears like you are browsing/redirecting to https://cppm..../guest but the certificate viewer shows aruba..... from DigiCert.

 

Have you correctly applied the GoDaddy certificate as web-server certificate on your ClearPass server? And not perhaps your controller certificate?

Occasional Contributor II

Re: HTTPS Captive Portal

I have validated that I did get the correct CN name (cppm.stcu.org).  

 

The certificate for aruba.stcu.org (from the controller) is getting presented when the user is redirected to the captive portal. That aruba.stcu.org is only present on the controller. 

 

I was thinking that if I can upload the cppm.stcu.org certificate to the controller and use that only for the captive portal server certificate, that this would resolved the issue?

 

Thought the issue with that is I can't upload that certificate as a server cert becuase the CSR is not going to match and the controller yells at me each time I try that:

CSR.jpg

Aruba Employee

Re: HTTPS Captive Portal

Can you share your L3 captive portal profile and guest logon role configuration on your controller?

 

You only need the GoDaddy certificate on CPPM itself, not on the controller.

Occasional Contributor II

Re: HTTPS Captive Portal

The dst-nat with the IP address is a test that we were trying based on a blog post that we ran into. Haven't been able to test that yet though...

 

captive portal L3.jpgguestRole.jpg

Guru Elite

Re: HTTPS Captive Portal

Your ClearPass HTTPS cert should have all of the FQDNs of all nodes in the cluster as well as the VIP’s FQDN as SubjectAltNames.

The controller captive portal certificate should have a generic common name (something like wifi-login.yourdomain.com). That CN needs to be configured in your Guest form.

You should not use the same certificate on both ClearPass and your network devices.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: