Security

Hello,
I've been having an issue with the integration of a CPPM to manage guest and specific access to Wifi using some Aruba AP.
I was able to upload properly the wildcard and CA certificate on both sides.
I can access the guest login page without any issues when prompted, but once i insert the credentials it shows me a warning message saying that

XXX.mydomain.tld is not using a valid domain, the certificate receive was *.mydomain.tld. (more or less, it is in french, sorry )



I think it is related to the "Captive portal server" certificate, because if i remove it on my Aruba VC, the message change, identifiying  the default securelogin.arubanetworks.com for the certificate.

The question is : how do i configure things properly so that i do not receive the warnings ?

This also brings another question, as i am not quite sure about how the whole thing works as an exchange, is someone can confirm the flow ?

Customer hooks up on the wifi
> gets prompted with the captive portal page on the CPPM
> login > gets forwarded back to the AP VC ?
>VC sends back the credentials/additional information to CPPM

> CPPM validates credentials, sends back the policy/roles to AP VC that finally allows user devices to communicate properly within the limits of the roles?

Thanks in advance,

Xavier

Hello,
I've been having an issue with the integration of a CPPM to manage guest and specific access to Wifi using some Aruba AP.
I was able to upload properly the wildcard and CA certificate on both sides.
I can access the guest login page without any issues when prompted, but once i insert the credentials it shows me a warning message saying that

XXX.mydomain.tld is not using a valid domain, the certificate receive was *.mydomain.tld. (more or less, it is in french, sorry )



I think it is related to the "Captive portal server" certificate, because if i remove it on my Aruba VC, the message change, identifiying  the default securelogin.arubanetworks.com for the certificate.

The question is : how do i configure things properly so that i do not receive the warnings ?

This also brings another question, as i am not quite sure about how the whole thing works as an exchange, is someone can confirm the flow ?

Customer hooks up on the wifi
> gets prompted with the captive portal page on the CPPM
> login > gets forwarded back to the AP VC ?
>VC sends back the credentials/additional information to CPPM

> CPPM validates credentials, sends back the policy/roles to AP VC that finally allows user devices to communicate properly within the limits of the roles?

Thanks in advance,

Xavier

Hello,

I saw that afterward, changed it to captiveportal-login.domain.tld (assuming it is login and not logon as your wrote).

I have the chain of the certificate and wildcard, uses the same pair for CPPM without issues.

I found out (while tcpdumping from my test Macbook) that it was trying to reach a virtual IP of a temp DHCP server i had on the VC.
Once i removed it in the conf, the android device started to work.

However the mac still dont want it.

I have opened a TAC with Aruba, spent a few hours already with them, double checking all basics configuration.

They've tried tweaking a few things here and there.

I can access the wifi just fine, the CPPM portal too, but i still have the same issue on the Mac.

I was not able to confirm with them, but i do not know if it is normal that my test macbook is talking to 172.31.98.1 (which appear to be some kind of default IP for the AP) ?

Any leads is interesting to follow.

Thanks,

------------------------------
Xavier Sirard

Original Message:
Sent: Apr 14, 2021 08:42 AM
From: Alexis La Goutte
Subject: Issue with CPPM and Aruba AP with wildcard certificate

Bonjour Xavier,

if you have a wildcard certificate, you need to set captiveportal-logon.mydomain.tld (and not vc)

do you have check also if you have the chain of this certificate ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Apr 12, 2021 06:09 AM
From: Xavier Sirard
Subject: Issue with CPPM and Aruba AP with wildcard certificate

Hello,
I've been having an issue with the integration of a CPPM to manage guest and specific access to Wifi using some Aruba AP.
I was able to upload properly the wildcard and CA certificate on both sides.
I can access the guest login page without any issues when prompted, but once i insert the credentials it shows me a warning message saying that

XXX.mydomain.tld is not using a valid domain, the certificate receive was *.mydomain.tld. (more or less, it is in french, sorry )



I think it is related to the "Captive portal server" certificate, because if i remove it on my Aruba VC, the message change, identifiying  the default securelogin.arubanetworks.com for the certificate.

The question is : how do i configure things properly so that i do not receive the warnings ?

This also brings another question, as i am not quite sure about how the whole thing works as an exchange, is someone can confirm the flow ?

Customer hooks up on the wifi
> gets prompted with the captive portal page on the CPPM
> login > gets forwarded back to the AP VC ?
>VC sends back the credentials/additional information to CPPM

> CPPM validates credentials, sends back the policy/roles to AP VC that finally allows user devices to communicate properly within the limits of the roles?

Thanks in advance,

Xavier

Hello,

I saw that afterward, changed it to captiveportal-login.domain.tld (assuming it is login and not logon as your wrote).

I have the chain of the certificate and wildcard, uses the same pair for CPPM without issues.

I found out (while tcpdumping from my test Macbook) that it was trying to reach a virtual IP of a temp DHCP server i had on the VC.
Once i removed it in the conf, the android device started to work.

However the mac still dont want it.

I have opened a TAC with Aruba, spent a few hours already with them, double checking all basics configuration.

They've tried tweaking a few things here and there.

I can access the wifi just fine, the CPPM portal too, but i still have the same issue on the Mac.

I was not able to confirm with them, but i do not know if it is normal that my test macbook is talking to 172.31.98.1 (which appear to be some kind of default IP for the AP) ?

Any leads is interesting to follow.

Thanks,

------------------------------
Xavier Sirard

Original Message:
Sent: Apr 14, 2021 08:42 AM
From: Alexis La Goutte
Subject: Issue with CPPM and Aruba AP with wildcard certificate

Bonjour Xavier,

if you have a wildcard certificate, you need to set captiveportal-logon.mydomain.tld (and not vc)

do you have check also if you have the chain of this certificate ?

------------------------------
PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

ACEP / ACMX #107 / ACDX #1281

Original Message:
Sent: Apr 12, 2021 06:09 AM
From: Xavier Sirard
Subject: Issue with CPPM and Aruba AP with wildcard certificate

Hello,
I've been having an issue with the integration of a CPPM to manage guest and specific access to Wifi using some Aruba AP.
I was able to upload properly the wildcard and CA certificate on both sides.
I can access the guest login page without any issues when prompted, but once i insert the credentials it shows me a warning message saying that

XXX.mydomain.tld is not using a valid domain, the certificate receive was *.mydomain.tld. (more or less, it is in french, sorry )



I think it is related to the "Captive portal server" certificate, because if i remove it on my Aruba VC, the message change, identifiying  the default securelogin.arubanetworks.com for the certificate.

The question is : how do i configure things properly so that i do not receive the warnings ?

This also brings another question, as i am not quite sure about how the whole thing works as an exchange, is someone can confirm the flow ?

Customer hooks up on the wifi
> gets prompted with the captive portal page on the CPPM
> login > gets forwarded back to the AP VC ?
>VC sends back the credentials/additional information to CPPM

> CPPM validates credentials, sends back the policy/roles to AP VC that finally allows user devices to communicate properly within the limits of the roles?

Thanks in advance,

Xavier