Cloud Managed Networks

I have an  IAPs  deployed (AP-515s)  with Aruba Central managed.  IAP has ssl certificate for fqdn  iap.<mydomain>.com   and DNS entry for it with VC IP address 10.x.y.10.

DNS resolved for iap.<mydomain>.com  by wireless client  to IP address 17.31.98.1  (Aruba magic vlan ip) and not the 10.x.y.10 which ssl certificate bind to.
This giving untrusted certificate warning for users when redirect to IAP from Clearpass.

How do I stop IAP to stop intercept DNS request and/or give VC ip address   instead of magic VLAN ip address.  
All clients get DHCP from external DHCP server.  

Thanks

------------------------------
Asela Abhayapala
------------------------------

Under the WLAN, set the IP assignment to be Network Assigned. Why do you have a DNS entry for iap.<mydomain>.com ?

------------------------------
Craig Syme
------------------------------

Original Message:
Sent: May 04, 2021 12:01 AM
From: Asela Abhayapala
Subject: IAP DNS intercept

I have an  IAPs  deployed (AP-515s)  with Aruba Central managed.  IAP has ssl certificate for fqdn  iap.<mydomain>.com   and DNS entry for it with VC IP address 10.x.y.10.

DNS resolved for iap.<mydomain>.com  by wireless client  to IP address 17.31.98.1  (Aruba magic vlan ip) and not the 10.x.y.10 which ssl certificate bind to.
This giving untrusted certificate warning for users when redirect to IAP from Clearpass.

How do I stop IAP to stop intercept DNS request and/or give VC ip address   instead of magic VLAN ip address.  
All clients get DHCP from external DHCP server.  

Thanks

------------------------------
Asela Abhayapala
------------------------------

Hi Craig, 

It is set to network assigned.   Guest network access by self registered captive portal. external captive portal on clearpass.  we have fqdn for clearpass and IAP.  when guest connected they will redirected to clearpass captive portal.  once guest registered with clearpass session redirected to IAP to login.  It use host name of IAP (fqdn)  to redirect.  if we used ip address of IAP (VC) insted of fqdn, it will display untrust message to clients. since we need sll certificate on IAP as well.  Problem is  IAP is intercept DNS request from clients for VC name and return with 172.31.98.1  instead of actual VC ip address from DNS server.

------------------------------
Asela Abhayapala
------------------------------

Original Message:
Sent: May 04, 2021 04:10 AM
From: Craig Syme
Subject: IAP DNS intercept

Under the WLAN, set the IP assignment to be Network Assigned. Why do you have a DNS entry for iap.<mydomain>.com ?

------------------------------
Craig Syme

Original Message:
Sent: May 04, 2021 12:01 AM
From: Asela Abhayapala
Subject: IAP DNS intercept

I have an  IAPs  deployed (AP-515s)  with Aruba Central managed.  IAP has ssl certificate for fqdn  iap.<mydomain>.com   and DNS entry for it with VC IP address 10.x.y.10.

DNS resolved for iap.<mydomain>.com  by wireless client  to IP address 17.31.98.1  (Aruba magic vlan ip) and not the 10.x.y.10 which ssl certificate bind to.
This giving untrusted certificate warning for users when redirect to IAP from Clearpass.

How do I stop IAP to stop intercept DNS request and/or give VC ip address   instead of magic VLAN ip address.  
All clients get DHCP from external DHCP server.  

Thanks

------------------------------
Asela Abhayapala
------------------------------

Hi

You don't need to upload own certificate to IAP. Central replace original self-signed certificate to trusted "securelogin.hpe.com". You can use it to redirect in Clearpass.

If you need use own certificate, first check if you upload correct certificate using command "show cpcert". You don't need any DNS entry, IAP capture dns packet with name from certificate and automatically redirect to self.

Regards

------------------------------
Piotr Filip

ACEX#41/ACCX/ACDX/ACMX/CWNA/CWSP
------------------------------

Original Message:
Sent: May 04, 2021 07:15 AM
From: Asela Abhayapala
Subject: IAP DNS intercept

Hi Craig, 

It is set to network assigned.   Guest network access by self registered captive portal. external captive portal on clearpass.  we have fqdn for clearpass and IAP.  when guest connected they will redirected to clearpass captive portal.  once guest registered with clearpass session redirected to IAP to login.  It use host name of IAP (fqdn)  to redirect.  if we used ip address of IAP (VC) insted of fqdn, it will display untrust message to clients. since we need sll certificate on IAP as well.  Problem is  IAP is intercept DNS request from clients for VC name and return with 172.31.98.1  instead of actual VC ip address from DNS server.

------------------------------
Asela Abhayapala

Original Message:
Sent: May 04, 2021 04:10 AM
From: Craig Syme
Subject: IAP DNS intercept

Under the WLAN, set the IP assignment to be Network Assigned. Why do you have a DNS entry for iap.<mydomain>.com ?

------------------------------
Craig Syme

Original Message:
Sent: May 04, 2021 12:01 AM
From: Asela Abhayapala
Subject: IAP DNS intercept

I have an  IAPs  deployed (AP-515s)  with Aruba Central managed.  IAP has ssl certificate for fqdn  iap.<mydomain>.com   and DNS entry for it with VC IP address 10.x.y.10.

DNS resolved for iap.<mydomain>.com  by wireless client  to IP address 17.31.98.1  (Aruba magic vlan ip) and not the 10.x.y.10 which ssl certificate bind to.
This giving untrusted certificate warning for users when redirect to IAP from Clearpass.

How do I stop IAP to stop intercept DNS request and/or give VC ip address   instead of magic VLAN ip address.  
All clients get DHCP from external DHCP server.  

Thanks

------------------------------
Asela Abhayapala
------------------------------

Thanks for information. I will revert it back to default aruba cert and redirect it to "securelogin.hpe.com" from clearpass.    Background is, we had controller based network. At that time we had to use own certificate on controller.   few months ago we  upgrade all APs with with Central. Same Clearpass setup. Thats why I choose to install own certificate on IAP.

Regards

------------------------------
Asela Abhayapala
------------------------------

Original Message:
Sent: May 06, 2021 02:09 AM
From: Piotr Filip
Subject: IAP DNS intercept

Hi

You don't need to upload own certificate to IAP. Central replace original self-signed certificate to trusted "securelogin.hpe.com". You can use it to redirect in Clearpass.

If you need use own certificate, first check if you upload correct certificate using command "show cpcert". You don't need any DNS entry, IAP capture dns packet with name from certificate and automatically redirect to self.

Regards

------------------------------
Piotr Filip

ACEX#41/ACCX/ACDX/ACMX/CWNA/CWSP

Original Message:
Sent: May 04, 2021 07:15 AM
From: Asela Abhayapala
Subject: IAP DNS intercept

Hi Craig, 

It is set to network assigned.   Guest network access by self registered captive portal. external captive portal on clearpass.  we have fqdn for clearpass and IAP.  when guest connected they will redirected to clearpass captive portal.  once guest registered with clearpass session redirected to IAP to login.  It use host name of IAP (fqdn)  to redirect.  if we used ip address of IAP (VC) insted of fqdn, it will display untrust message to clients. since we need sll certificate on IAP as well.  Problem is  IAP is intercept DNS request from clients for VC name and return with 172.31.98.1  instead of actual VC ip address from DNS server.

------------------------------
Asela Abhayapala

Original Message:
Sent: May 04, 2021 04:10 AM
From: Craig Syme
Subject: IAP DNS intercept

Under the WLAN, set the IP assignment to be Network Assigned. Why do you have a DNS entry for iap.<mydomain>.com ?

------------------------------
Craig Syme

Original Message:
Sent: May 04, 2021 12:01 AM
From: Asela Abhayapala
Subject: IAP DNS intercept

I have an  IAPs  deployed (AP-515s)  with Aruba Central managed.  IAP has ssl certificate for fqdn  iap.<mydomain>.com   and DNS entry for it with VC IP address 10.x.y.10.

DNS resolved for iap.<mydomain>.com  by wireless client  to IP address 17.31.98.1  (Aruba magic vlan ip) and not the 10.x.y.10 which ssl certificate bind to.
This giving untrusted certificate warning for users when redirect to IAP from Clearpass.

How do I stop IAP to stop intercept DNS request and/or give VC ip address   instead of magic VLAN ip address.  
All clients get DHCP from external DHCP server.  

Thanks

------------------------------
Asela Abhayapala
------------------------------

Are you sure you installed the certificate correctly (with complete chain) on the instant AP?
You don't need to add a DNS entry as DNS interception should be enough..
Did you configure the FQDN correctly in the login page (IP address) on ClearPass?
Can you share a screenshot of the error you are getting..

------------------------------
Ayman Mukaddam
------------------------------

Original Message:
Sent: May 04, 2021 12:01 AM
From: Asela Abhayapala
Subject: IAP DNS intercept

I have an  IAPs  deployed (AP-515s)  with Aruba Central managed.  IAP has ssl certificate for fqdn  iap.<mydomain>.com   and DNS entry for it with VC IP address 10.x.y.10.

DNS resolved for iap.<mydomain>.com  by wireless client  to IP address 17.31.98.1  (Aruba magic vlan ip) and not the 10.x.y.10 which ssl certificate bind to.
This giving untrusted certificate warning for users when redirect to IAP from Clearpass.

How do I stop IAP to stop intercept DNS request and/or give VC ip address   instead of magic VLAN ip address.  
All clients get DHCP from external DHCP server.  

Thanks

------------------------------
Asela Abhayapala
------------------------------