Wireless Access

Reply
MVP
Posts: 112
Registered: ‎01-05-2016

how to disable https login for guest? the guests don't want to see the security alert.

Hi, how to disable https login for guest? the guests don't want to see the security alert. 

 

https://xx.xxx.x.x/guestlogin.page

 

Thanks a lot!

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: how to disable https login for guest? the guests don't want to see the security alert.

In the captive portal profile, uncheck "Use https". Also in under ClearPass
Guest go to Authentication and uncheck require HTTPS.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 473
Registered: ‎11-04-2011

Re: how to disable https login for guest? the guests don't want to see the security alert.

The best solution is to install correct HTTPS certificates on the controller and ClearPass (if used), so guests don't see the security alert. If that is not feasible, you can indeed switch off HTTP as capelli explained.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Occasional Contributor II
Posts: 22
Registered: ‎09-02-2015

Re: how to disable https login for guest? the guests don't want to see the security alert.

I completely agree with Herman!!! Always install a valid ssl certificate and you will have a secure solution!
Cheers,
Frank
Life off the wire
Occasional Contributor II
Posts: 12
Registered: ‎11-05-2015

Re: how to disable https login for guest? the guests don't want to see the security alert.

[ Edited ]

I have a trusted HTTPS Cert installed and I still cannot get the Captive Portal to pop on an Apple iDevice. It works fine with HTTP (disabling HTTPS as suggested above.

 

I can navigate to Clearpass GUI via a browser on a Windows machine with HTTPS and it is secure (green https) with no cert warnings. 

 

I have tried two different HTTPS Certs in Clearpass.. Comodo and GoDaddy. Neither allow the portal to pop on Apple. 

 

I assume it is an intermediate cert issue but how do we tell when it works fine elsewhere?

 

Any things else I can look at? Do I need to do other configurations in Clearpass after installing an HTTPS Cert ( I did make sure it was HTTPS and not Radius cert.)?

Occasional Contributor II
Posts: 12
Registered: ‎11-05-2015

Re: how to disable https login for guest? the guests don't want to see the security alert.

I figured it out... Kinda. The clients (iDevice) DNS servers were Internet only and could not resolve the host name of Clearpass as specified in the Login Page configuration of the Captive Portal profile. Therefore it could not validate the cert. As a test I opened up internal DNS server so it could resolve. 

 

I guess that leads to the question... how do I resolve internal DNS names without allowing access in my FW Policy to internal DNS?

 

As a side note, HTTP worked because I was using the IP address in the URL instead of host name. So I was not testing Apples for Apples!

 

 

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: how to disable https login for guest? the guests don't want to see the security alert.

The ClearPass certificate does not effect the captive network assistant.

 

For the DNS question, you have a few options:

-  Leverage views on your DNS server to allow resolution of ClearPass but no other internal records

- Use your upstream router's DNS proxy feature

- Create a DNS entry for ClearPass in public DNS

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 12
Registered: ‎11-05-2015

Re: how to disable https login for guest? the guests don't want to see the security alert.

Thanks for the options Tim. I will certainly test one of them.

 

FYI - If I change the Captive Portal URL to an IP instead of Host/Domain, the Captive Portal will not pop. Since it is not DNS related, I assume it does not pop becuase the URL does not match the Certificate. Just a guess though. Either way, I would not deploy Guest with IP for the host name so its a moot point. 

 

Thanks again for all your help answering everyone's questions! It makes our ability to support and deploy the products much easier not to mention our confidence level when we get through little things like this. Same goes for the others on your team!

Search Airheads
Showing results for 
Search instead for 
Did you mean: