I got the fallowing scenario
2 Controllers -master stand by central site
10 local controllers on remote sites ( one controller in each site) for example site A one controller Site B the other controller etc
1 DMZ controller in the central site, which is a master controller and its alone.
All the local controllers are doing a GRE tunnel to the VRRP IP on the central site and passing the guest vlan that just exist in the controllers, then on the central site there is a GRE tunnel to the DMZ that does the same pass only the guest vlan,
I got in clearpass a public certificate
I got on Master and stand by controllers public certificates
I got a public certificate on local controllers as well
I don tthink do have them on the DMZ controller because i dont authenticate there or anything i just use it to terminate the tunnel from the master controller
Now for the public certificate on the controllers im using the same one. i did a request on an old clearpass which i can retrive the private key, and put the private key, the cert that is signed and the root ca on a .pem and uploaded it to everycontroller.
The user log in the network
The user if he goes to an http page he doesnt get an error of certificate and get the captive portal. If the user goes to an https page he gets a error but he can continue
the user fill up the info and request for the access
The IT get the email and they give them access, and it get redirected to the controller, and sometimes they get a public certificate error specially on MACs, again, and you have to click again to continue. This confuses the end users and they dont know what to do
Why this is happening or how can i prevent this from happening?
Anyone has any idea what could be wrong in my config or the way i did it?
Please try to chaining the controller cert like this :
And also whitelist digicert OCSP under the L3 Guest Captive Portal Authentication Profile
netdestination ocsp-digicert-destname ta2.symcb.comname tb2.symcb.comname tc2.symcb.comname td2.symcb.comname te2.symcb.comname tf2.symcb.comname tg2.symcb.comname th2.symcb.comname ti2.symcb.comname tj2.symcb.comname tk2.symcb.comname tl2.symcb.comname ta.symcd.comname tb.symcd.comname tc.symcd.comname td.symcd.comname te.symcd.comname tf.symcd.comname tg.symcd.comname th.symcd.comname ti.symcd.comname tj.symcd.comname tk.symcd.comname tl.symcd.comname tm.symcd.comname tn.symcd.comname to.symcd.com
netdestination ocsp-digicert-destname *.symcb.com
Thank you Victor
Let me try this!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.