Hi Vinnie,
No problem mate, certificates are hard to understand for a lot of people.
When buy a public webserver this basicly exist of a couple of steps:
1. Generate a certificate signing request (CSR) with the OpenSSL application thats native integrated in Linux. On the place where your CSR is created you will also get the private key after generation, what is needed to import the signed server certificate later on, keep is safe and don't distribute ;). Some Public CA authority's can create the CSR on the portal, then you get the certificate and private key delivered is bundle from the public CA. Most cases the CSR is created on a linux box by your self. When creating the CRS its important the common name (CN) is a full qualified domain.
2. When buy a webserver certificate the public CA wil ask to upload the CRS and validate your the owner of your public DNS. This is done by email, dns check, web check or by phone is some cases.
3. After validation your public DNS you get your webserver certificate and the public available ca-root and intermediate certificates delivered in a bundle. If you generate the CSR your self you have your private key. If your public CA generate the CSR you also get the private key in the bundle.
4. Now you have to import your certificate, the most easily way (i prefered) is to generate all four certificates into one PKCS12 certificate, a type that consist your webserver certificate, private key, ca-root and intermediate all in one. This can be generatie with the OpenSLL application aswel. Please note that thate certificate chain must be in order.
Depending on your configuration it's possible your need two certificates:
1. a webserver certificate for "showing" the
https://captive-portal.domain.com2. a webserver certificate controller.domain.com for the form post
Not fully sure but i think that when your controller and captiveportal is on the same device only one certificate is needed.
Some examples of how to work with OpenSSL you can find on my blog https:/blog.marcelkoedijk.nl
There is also a lot of documentatie around here on Airheads, also the
certificate 101 document can be a good starting point.
------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
------------------------------
Original Message:
Sent: Jan 19, 2021 05:30 PM
From: vinnie mc carthy
Subject: AP505 controller - certs for Corp and guest Wifi
So if i buy a cert from Digicert and import this to the controller this would work.
What / where do i get the root CA or intermediate CA as My CA is internal.
Does Digicert for example roll this into their cert?
Sorry this is new to me Marcel
------------------------------
Original Message:
Sent: Jan 19, 2021 05:11 PM
From: marcel koedijk
Subject: AP505 controller - certs for Corp and guest Wifi
Thats correct, for the captive-portal splash screen a public web server certificate must be imported to the controller, aswell the root-ca/intermediate from the public CA.
EAP-PEAP is not recommended because it can leak credentials easily.
------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
Original Message:
Sent: Jan 19, 2021 04:54 PM
From:
Subject: AP505 controller - certs for Corp and guest Wifi
Thanks all,
Once guests enter the password to connect (wpa2 personal) I intend to use the "Splash page internal acknowledged" which has no username or password just terms and conditions which they must accept.
So looks like I need a public cert as you say?
Would it be recommended to use EAP-PEAP instead? I just wanted something simple for guests
Original Message:
Sent: Jan 19, 2021 04:27 PM
From: marcel koedijk
Subject: AP505 controller - certs for Corp and guest Wifi
For captive-portal authentication you need a public signed webserver certificate uploaded to the controller and configure it as use for captive-portal authentication.
Original Message:
Sent: 1/19/2021 3:31:00 PM
From: brownbeargrrr
Subject: RE: AP505 controller - certs for Corp and guest Wifi
Thank you Marcel for clearing that up with regard to Eap-Tls and domain joined clients.
For the guest wifi we are just going to use WPA2 personal with a password rather than Eap-Tls - this is working fine except for the browser warnings since the cert is the default out of the box and not trusted for non domain laptops / mobile phones / android / apple etc
So since we will never have access to guests devices do I require a public CA cert and import that into the Aruba somehow?
Thank you
Original Message:
Sent: Jan 19, 2021 03:14 PM
From: marcel koedijk
Subject: AP505 controller - certs for Corp and guest Wifi
Hi Brownbeargrrrrrrrrrrrrr,
In an EAP-TLS setup there are no certificates needed on the controller, the controller just forward/pass-thru EAP messages through RADIUS. Your NPS server need a RADIUS server certificate, and the CA-Root and or CA-Intermediate certifcates form your PKI. The client need a computer or user certificate and the same CA-Root and or CA-Intermediate certifcates form your PKI in his trust list.
Configure your client adapter 802.1x settings in the right manner and always valide the radius server certificate on the client side.
EAP-TLS certificate authentication will not work for non-domain guest users.
------------------------------
Marcel Koedijk | MVP Expert 2020 | ACMP | ACCP | Ekahau ECSE
Original Message:
Sent: Jan 19, 2021 11:38 AM
From:
Subject: AP505 controller - certs for Corp and guest Wifi
Just set-up a new internal CA with a NPS server and have issued a cert to my NPS and a client cert for domain joined laptops.
This appears to be working ok. Am I supposed to upload our root CA cert to the controller for the corp Wifi? So far there doesn't seem to be a need for this unless it's best practise as I haven't changed any of the default certs for the controller.
With regard to guests -non domain joined devices they are getting the "secure connection failed" since they have no cert installed.
So do I need to puchase a public CA cert for the guest users to stop them being prompted and upload it to the controller?
Thanks all