Wireless Access

last person joined: 3 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Multi controller clearpass guest service ... captive portal cert question

This thread has been viewed 47 times
  • 1.  Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 15, 2021 08:30 AM
    Hi,
    I have inherited a multi( 6.5 ) mobility controller service running clearpass guest

    I've just noticed

    1). Only the captive portal cert is installed on the controllers ... would have thought we'd also install the  CA chain as well.

    2). The cert expires in 5 days time.!

    Know  where to go to upload the cert and  CA chains  on the controller, but as the new cert name is going to be different, where do I specify using the new cert instead of the old one.?

    ------------------------------
    Alex Sharaz
    ------------------------------


  • 2.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 15, 2021 09:03 AM
    Guess its just in  /Configuration/Management/General/Captive portal certificate

    :-)
    A

    ------------------------------
    Alex Sharaz
    ------------------------------



  • 3.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 15, 2021 09:55 AM
    You should import the chained certificate, so the server certificate and all intermediates up to the root in a single file. Root should not be included.

    This is different from ClearPass where you upload the intermediates separately.

    You found already where to apply it.

    Note that if you change the cert name, the URL for posting the credentials will change, and if you use ClearPass as an external captive portal the name should be changed there as well in the Weblogin page.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 4.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 15, 2021 01:27 PM
    Sigh !

    Haven’t received the new cert yet so we went and uploaded the root and intermediate certs tonight in preparation for obtaining the cert tomorrow
    :-(




  • 5.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 15, 2021 01:29 PM
    So we talking concatenated pem or pkcs12 ?
    A




  • 6.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 16, 2021 05:32 AM
    Yes. Either of them should work; but I referred to concatenated pem as that is the easiest to create (for me, an old-schooler with a simple text editor).

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 7.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 16, 2021 05:46 AM
    :- vi is your friend

    o.k. so generated a pics file have used openssl to check that its got the cert and both the intermediate CAs in there ….

    so when I upload it onto the controller and click in view, it only shows the cert and the issuing intermediate CA.

    Is there any way to convince myself that the controller actually has both of the intermediate GAs in there .. other than applying it to the web interface and checking in the browser ?
    A




  • 8.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 16, 2021 05:50 AM
    o.k never mind :-)

    configured the web interface on a controller and yes Can see the full certification path

    A




  • 9.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 16, 2021 12:34 PM

    Hello,

    I'm having an issue with my cert. The redirect is using the new captive portal cert with the same name; however, I'm now receiving a cert error on the clients. I get the error, "The issuer of this certificate could not be found." I do see the new cert being listed and it does list the issuer; however, it also says the issuer could not be verified. Would this be a problem with the intermediate cert? 

    I chained the intermediate cert to the Server cert as a PEM. When viewing the cert on the controllers, it does show the proper issuer, Digicert.

    Oddly enough, some devices never received the error. We had 8 surfaces, 6 received the error, 2 did not.

    NOTE: I did open a TAC case, and when testing a device, during our troubleshooting, I used IE so I could "Proceed to insecure site" and it would allow me to connect. We then changed the cert name it was listed as on the controllers and when I reconnected on that device, I no longer received the error, so I thought that had fixed it; however, as I later came to find, many other devices still had the issue.

    Thanks,

    Nate




  • 10.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 16, 2021 01:01 PM
    What I did was to build a pkcs12 file of the cert and all the intermediates and upload that to the controller … oops …. Conductor (sigh!)
    I also use the same cert for web and captive portal
    From Firefox can check and see that the. Fill chain from cert CN to root CA is present
    Rgds
    Alex

    Sent from my iPhone




  • 11.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 17, 2021 04:35 AM
    Probably yes, that is an issue with the certificate chaining. Check the post below for an explanation. For PEM, concatenate the import file as follows:
    -----BEGIN CERTIFICATE-----
    the actual server cert
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    intermediate that issued the server cert
    -----END CERTIFICATE-----
    (... repeat for other intermediates if there are more than 2 intermediates...)
    -----BEGIN CERTIFICATE-----
    intermediate issued by the root CA
    -----END CERTIFICATE-----
    (... do NOT include the root CA...)
    -----BEGIN PRIVATE KEY-----
    private key here
    -----END PRIVATE KEY-----

    Or use p12 as suggested by Alex.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 12.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 17, 2021 04:27 AM
    Firefox (or most browsers) are not great to test proper certificate chaining, unless you can reproduce the issue first with a non-chained certificate. Reason for that is that most browsers will add intermediate certificates to their local database, and if they have seen an intermediate once, the next time you get a certificate that is unchained, but is using the same intermediates, it will retrieve those from the local database and accept those as if they were sent as part of the chain.

    If you have your system internet reachable, an online check like with ssllabs will help, if it is internal, I use openssl for the same:
    $ openssl s_client -showcerts -connect 192.168.31.15:4343
    CONNECTED(00000003)
    depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = R3
    verify return:1
    depth=0 CN = *.arubalab.com
    verify return:1
    ---
    ​

    ... where you can see each of the intermediates... and if you continue the output, it will show the actual certs.

    When I remove the chaining, the openssl output will be:

    $ openssl s_client -showcerts -connect 192.168.31.15:4343
    CONNECTED(00000003)
    depth=0 CN = *.arubalab.com
    verify error:num=20:unable to get local issuer certificate
    verify return:1
    depth=0 CN = *.arubalab.com
    verify error:num=21:unable to verify the first certificate
    verify return:1
    ---

    In Firefox, the page still looks 'Secure' as it has seen the intermediates, and cached. You can remove those from the preferences, but for reliable testing, I would recommend another tool than a browser.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 13.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 21, 2021 10:22 AM
    Many thanks for this, really useful, I\ll pass it onto our support people
    Rgds
    Alex




  • 14.  RE: Multi controller clearpass guest service ... captive portal cert question

    Posted Sep 21, 2021 09:29 AM
    Hello Herman,

    Thank you for your assistance. Before messing with the cert some more, I tried just removing and reimporting the cert. This time it worked!

    Perhaps a newbie mistake, but when importing the cert (server cert chained with intermediate), I did not remove the previous cert (just server cert), I just named it the same and it seemed to overwrite the previous cert. On the second attempt, I removed the new cert I had added, pushed changes, and then uploaded the cert again and it worked.

    Thanks!
    Nate