Security

last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Problems with captive portal and certificate when redirecting to controller

  • 1.  Problems with captive portal and certificate when redirecting to controller

    Posted Feb 13, 2020 09:25 AM

    Hello

    I got the fallowing scenario

    1 Clearpass

    2 Controllers  -master stand by central site

     

    10 local controllers on remote sites ( one controller in each site) for example site A one controller Site B the other controller  etc

     

    1 DMZ  controller in the central site, which is a master controller and its alone.

     

    All the local controllers are doing a GRE tunnel to the VRRP IP on the central site  and passing the guest vlan that just exist in the controllers, then on the central site there is a GRE tunnel to the DMZ  that does the same pass only the guest vlan,

     

    I got in clearpass a public certificate

     

    I got on Master and stand by controllers public certificates

    I got a public certificate on local controllers as well

    I don tthink do have them on the DMZ controller because i dont authenticate there or anything i just use it to terminate the tunnel from the master controller

     

    Now for the public certificate on the controllers im using the same one.   i did a request on an old clearpass which i can retrive the private key, and put the private key, the cert that is signed and the root ca  on a .pem and uploaded it to everycontroller.

     

    The scenario:

     

    The user log in the network

    The user  if he goes to an http page he doesnt get an error of certificate and get the captive portal.  If the user goes to an https page he gets a error but he can continue

     

    the user fill up the info  and request for the access

    The IT get the email  and they give them access, and it get redirected to the controller, and sometimes they get a public certificate error specially on MACs, again, and you have to click again to continue.   This confuses the end users and they dont know what to do

    Why this is happening or how can i prevent this from happening?

    Anyone has any idea what could be wrong in my config or the way i did it?

     

    Cheers

    Carlos



  • 2.  RE: Problems with captive portal and certificate when redirecting to controller

    Posted Feb 13, 2020 10:06 AM
    What is the third party CA for the cert ?

    Sent from Mail for Windows 10


  • 3.  RE: Problems with captive portal and certificate when redirecting to controller

    Posted Feb 13, 2020 12:32 PM

    Hello Victor

    Its Digicert



  • 4.  RE: Problems with captive portal and certificate when redirecting to controller

    Posted Feb 13, 2020 03:48 PM

    Please try to chaining the controller cert like this :

    2020-02-13 15_43_23-How to Create a .pem File for SSL Certificate Installations.png

    https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

     

    And also whitelist digicert OCSP under the L3 Guest Captive Portal Authentication Profile

    netdestination ocsp-digicert-dest
    name ta2.symcb.com
    name tb2.symcb.com
    name tc2.symcb.com
    name td2.symcb.com
    name te2.symcb.com
    name tf2.symcb.com
    name tg2.symcb.com
    name th2.symcb.com
    name ti2.symcb.com
    name tj2.symcb.com
    name tk2.symcb.com
    name tl2.symcb.com
    name ta.symcd.com
    name tb.symcd.com
    name tc.symcd.com
    name td.symcd.com
    name te.symcd.com
    name tf.symcd.com
    name tg.symcd.com
    name th.symcd.com
    name ti.symcd.com
    name tj.symcd.com
    name tk.symcd.com
    name tl.symcd.com
    name tm.symcd.com
    name tn.symcd.com
    name to.symcd.com

    or

    netdestination ocsp-digicert-dest
    name *.symcb.com

    https://knowledge.digicert.com/solution/SO28927.html#Download 



  • 5.  RE: Problems with captive portal and certificate when redirecting to controller

    Posted Feb 17, 2020 04:56 PM

    Thank you Victor

    Let me try this!

     

    Cheers

    Carlos