Controllerless Networks

 View Only
  • 1.  Aruba Central and ClearPass Guest - NAS Logon URL

    Posted Apr 22, 2020 07:47 AM

    I'm not sure on what NAS login URL i need to use for Aruba Instant managed by Central, using ClearPass guest.

     

    Redirection to the web page is all clear, but when i try to login i get a login failed, i am not sure if i'm using the correct url, this should be the CN of the certificate of the Instant AP, but how can i check this?

     

    In Central i can choose a captive portal certificate of default and aruba_default, i don't know what's the difference.

    2020-04-22 13_36_43-Aruba Central.jpg

     

    i'm now using securelogin.hpe.com

    2020-04-22 13_38_40-adm-pmp-fkl@PAN-MGT01-P - PMP RDP SESSION.jpg



  • 2.  RE: Aruba Central and ClearPass Guest - NAS Logon URL

    Posted Apr 22, 2020 08:08 AM

    i have managed to upload a custom certificate (wildcard) and selected the certificate to be used for captive porta.

     

    Spoiler

    1. In the Network Operations app, filter All Devices.

    2. Under Maintain, click Organization.

    3. Select the Certificates tab.

    The Certificates page opens.

    4. Click the plus icon to add the certificate to the certificate store.

    5. In the Add Certificate dialog box, do the following:

    a. In the Name text box, specify the certificate name.

    Now, when i do a nslookup to captiveportal.company.com (cn name) i get a dns response back with a strange adress: 172.31.98.1

     

    Is this some kind of default adress? the instant AP is in 10.x network.



  • 3.  RE: Aruba Central and ClearPass Guest - NAS Logon URL

    Posted Apr 22, 2020 12:57 PM

    Hello, 

     

    If you're using a wildcard certificate, you should use : captiveportal-login.domain.tld. 


    captive portal-login replace the asterisk * of the cert. If you have a named certificate like : myportal.company.com, you should use this name on the URL. 

     

    https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

     

     

    You should use a public signed certificate and not a certificate from your internal PKI because external guests doesn't have your internal CA in their trust list. They will get a certificate error as soon as they click Log In on the captive portal. 

     

    This IP is an internal IP of your IAP. When you upload a captive redirect certificate, the IP of your NAD will always respond to this cn. 

     

    Cheers