04-14-2016 10:04 PM
04-14-2016 10:07 PM
04-15-2016 12:11 AM
The best solution is to install correct HTTPS certificates on the controller and ClearPass (if used), so guests don't see the security alert. If that is not feasible, you can indeed switch off HTTP as capelli explained.
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
04-15-2016 10:54 AM
Life off the wire
05-25-2016 07:01 PM - edited 05-25-2016 07:02 PM
I have a trusted HTTPS Cert installed and I still cannot get the Captive Portal to pop on an Apple iDevice. It works fine with HTTP (disabling HTTPS as suggested above.
I can navigate to Clearpass GUI via a browser on a Windows machine with HTTPS and it is secure (green https) with no cert warnings.
I have tried two different HTTPS Certs in Clearpass.. Comodo and GoDaddy. Neither allow the portal to pop on Apple.
I assume it is an intermediate cert issue but how do we tell when it works fine elsewhere?
Any things else I can look at? Do I need to do other configurations in Clearpass after installing an HTTPS Cert ( I did make sure it was HTTPS and not Radius cert.)?
05-25-2016 07:27 PM
I figured it out... Kinda. The clients (iDevice) DNS servers were Internet only and could not resolve the host name of Clearpass as specified in the Login Page configuration of the Captive Portal profile. Therefore it could not validate the cert. As a test I opened up internal DNS server so it could resolve.
I guess that leads to the question... how do I resolve internal DNS names without allowing access in my FW Policy to internal DNS?
As a side note, HTTP worked because I was using the IP address in the URL instead of host name. So I was not testing Apples for Apples!
05-25-2016 07:32 PM
The ClearPass certificate does not effect the captive network assistant.
For the DNS question, you have a few options:
- Leverage views on your DNS server to allow resolution of ClearPass but no other internal records
- Use your upstream router's DNS proxy feature
- Create a DNS entry for ClearPass in public DNS
05-26-2016 03:28 AM
Thanks for the options Tim. I will certainly test one of them.
FYI - If I change the Captive Portal URL to an IP instead of Host/Domain, the Captive Portal will not pop. Since it is not DNS related, I assume it does not pop becuase the URL does not match the Certificate. Just a guess though. Either way, I would not deploy Guest with IP for the host name so its a moot point.
Thanks again for all your help answering everyone's questions! It makes our ability to support and deploy the products much easier not to mention our confidence level when we get through little things like this. Same goes for the others on your team!