Wireless Access

Reply
New Contributor
Posts: 1
Registered: ‎12-17-2013

how to apply a public cert to correct the default cert expiry issue on the wireless controller%3F

I am looking for some help.

I am trying to upload a Unique certificate to correct the Default Certificate expiry on an Aruba650 wireless controller. The controller is used as part of a Guest network, and while it does not host the Captive Portal page, it handles the redirection as the ClearPass (Amigopod) server we have hosts the Captive Potal login page.

I have uploaded our certificate "wireless-controller.ourdomain.com" which we have had signed by a Public CA (Verisign). The certificate uploads successfully when uloading with Certificate type "Public Certificate", however I am not able to select my uploaded certificate to be used as the Captive Portal Certificate.

 

In our use case, Guest Users are experiencing the Certificate Error after they have successfully entered their credentials on the ClearPass (Amigopod) Captive Portal page, and are in the process of being re-directed to the default landing page. They see the error appear for "securelogin.arubanetworks.com" hosted by the wireless controller, for which the default certificate was valid.

 

Any assistance is greatly appreciated.

Moderator
Posts: 918
Registered: ‎07-29-2010

Re: how to apply a public cert to correct the default cert expiry issue on the wireless controller%3

In Amigopod, change your NAS-IP to wireless-controller.ourdomain.com. Then the controller, seeing that you are asking for it's own webpage, will spoof the DNS name and take care of the login.

 

Regards

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Aruba Employee
Posts: 5
Registered: ‎12-07-2011

Re: how to apply a public cert to correct the default cert expiry issue on the wireless controller%3

Hey Surjeet,

Here is the process to generate/import a public cert, when wanting to use a single public cert across multiple controllers. This is to replace the default cert (securelogin), and allows you to deploy this cert on multiple controllers, as DNS resoution is not required (DNS is spoofed by the controller, based on the cert CN, as per Sam's response).

 

----

Requirements:

· Certificate needs to be in PEM 509 format.

· cn name must be the captive portal URL (e.g. securelogin.domainname.com)

 

Steps:

  1. Generate the desired server private key: openssl genrsa -des3 -out server.key 1024
  2. Generate the desired server cert request: openssl req -new -key server.key -out server.csr
  3. Send .csr to your favorite CA
  4. Make the server private key unsecure (unencrypted with no password): openssl rsa -in server.key -out server.key.unsecure
  5. Combine the server cert (received from your CA) and its private key into a .pem file: cat server.key.unsecure server.cer > server.pem
  6. Upload the file: Maintenance->Captive Portal->Upload Certificate
------

 

Regards,

  Raphael

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: