Security

last person joined: 4 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Captive Portal cert error with Android

  • 1.  Captive Portal cert error with Android

    Posted Sep 19, 2018 11:36 AM

    I'm in the process of building out my new wireless guest network with Aruba controller (8.3.0.2) and Clearpass (6.7.5) controllers and am having an issue wtih a certfiicate error.   I have a certificate from DigiCert on clearpass as well as my controllers and it seems to work fine.  When i connect to my captive portal on a windows laptop, i get the captive portal pop-up and can log in with no certificate issues.  I have a test iPad here as well and samething, connect and login with no certificate error.

     

    Now on 5 different androids (runnig on different versions), i connect to network, get the captive portal pop-up which is https and thats fine. But when i click login i get the certificate error.   I only seem to get the cert error on androids.  I need another apple device or two to test with to verify it with that as well, but the ipad and windows devices are fine.

     

    I would think something like digicert would be already loaded on android devices as its a pretty common 3rd party certificate company.  has anyone had issues with android phones/tablets having a certificate error where other vendors seem to be fine?

     

    I have an HTTPS certificate on clearpass signed from DigiCert, i also have 3 individual HTTPS certificates on my controllers (each controller has their own and its stacked with the intermediate and root ca together in one).  

     



  • 2.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 11:53 AM
    1. You should use one, single name, generic captive portal certificate across all controllers
    2. Server certificates should only be uploaded with leaf + intermediates


  • 3.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 12:29 PM

    I have followed the guide listed here:

    https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Web-Login-NAS-Address-configuration-options-in-single-and-multi/ta-p/275426  (the last part Using Unique Captive Portal Certificates Per Controller)

    Since i am in a multi controller setup each with their own individual cert, i have those all added in the header html area.  On each controller i have their own certs, each with their own common name. But i also have SANS created for them for different things.  One of those SANs entries is the dns address of the cluster of controllers.  That is the entry that is referneced in the IP address after on the captive portal page on the clearpass. 

     

    For the second part, so my stack of certs should not include the root ca? just the ssl cert and intermediate?



  • 4.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 12:31 PM
    You should not use different certificates on each controller.

    Yes, leaf + intermediate only.


  • 5.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 12:36 PM

    Having 3 different public certs on each controller though cause an issue with Android's and their cert error and not on apple or windows?



  • 6.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 12:41 PM
    It’s good to get to a baseline best practice configuration before continuing to troubleshoot.


  • 7.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 12:53 PM

    Thanks. I will go about doing that now and test it out.  One more question, so when creating the certificate, the common name should not be in dns?  And that common name is what i will put in the IP Address field on the captive portal webpage config in clearpass?

    So if i create something like captive-portal.mydomain.com as the common name for all of my controllers, that is the samething i put in the webpage config?  



  • 8.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 12:59 PM
    Correct, you don’t put anything in DNS and a generic name is fine (network-login.youdomain.com, captiveportal.yourdomain.com, etc). The CN of the cert is what goes in the weblogin config in ClearPass.


  • 9.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 01:57 PM

    OK, i used openssl and created the cert with keys and uploaded it to digicert, got my new one, combined the ssl cert and the intermediate ca in one file, then uploaded that same cert to all of my controllers and that went through. 

    I then updated my web login address so it is captive-portal.<mydomain>.com, which is the samething i used as the common name in the certficate.  now when i connect i get the error saying captive-portal.<mydomain>.com can't be found.   since there is no dns entry for it, how does it know to go back to the controller? 

     

    see attached



  • 10.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 02:04 PM
    Run “show datapath fqdn” on the controller and ensure it is the common name of the cert.


  • 11.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 02:35 PM

    It originally showed up only as securelogin.arubanetworks.com.  I changed the web-server profile on the highest folder for the controllers, but that didn't seem to work.  So i had to manually change it on all of the controllers and now it shows up correctly in the show datapath fqdn and the captive portal does work now. 

     

    I test with my devices, and the windows/ipads are working the same now.  and with androids, its been spotty.  either my phone doesn't get the certifcate error anymore or it goes away really quickly and i don't have to accepty.  my tablet does the samething.  i had one of my co-workers phone didn't get the cert error, but another's did.  so not sure if its related to something with android or something else. 

     

     



  • 12.  RE: Captive Portal cert error with Android

    Posted Sep 06, 2019 10:06 AM

    I am having the same issue. Were you ever able to resolve it?