Wireless Access

 View Only
Expand all | Collapse all

Aruba IAP Guest Certificate

This thread has been viewed 48 times
  • 1.  Aruba IAP Guest Certificate

    Posted Oct 02, 2024 06:13 AM
    We have 10 separate Aruba IAP clusters in our environment and are currently in the process of updating the WEB UI certificate. At the moment, the same certificate is used for both the WEB UI and the Guest network. The captive portal for the Guest SSID is configured in Clearpass.
     
    Is a separate guest certificate required for Aruba IAP?
    We're accessing the IAP using its IP address. How can we create a single certificate to accommodate this?

    I'm new to this, so I would appreciate your help.



  • 2.  RE: Aruba IAP Guest Certificate

    Posted Oct 02, 2024 10:53 AM

    I don't remember which version introduces the functionality (check the release notes) but later versions of IAP allow for separate certificates for captive portal and WebUI.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 3.  RE: Aruba IAP Guest Certificate

    Posted Oct 03, 2024 05:26 AM

    I think it the functionality was added with Instant version 8.7.

    in either way here is where you can upload and assign the type Maintenance->Certificates->Upload



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------



  • 4.  RE: Aruba IAP Guest Certificate

    Posted 25 days ago

    Hi ,

    Can we use the same certificate for captive portal and web ui ? 

    We are accessing the IAP clusters using its IP address. How can we create a single certificate to install in multiple aruba clusters ?




  • 5.  RE: Aruba IAP Guest Certificate

    Posted 25 days ago

    Yes.

    Use a tool, openssl for instance, to create the CSR.  Once you've got the CSR and private key, submit the CSR as usual.  Then combine the signed certificate along with the private key for upload to the APs.

    https://wirelesswires.com/openssl-and-you-managing-certificates-and-signing-requests-csr/



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 6.  RE: Aruba IAP Guest Certificate

    Posted 24 days ago

    In my current setup, we have installed the certificate for guest.example.com on all Aruba IAP clusters for the captive portal and WebUI. However, there is no FQDN mapped to the controller IP address, as guest.example.com resolves to the ClearPass IP address. Instead of using secure.arubanetworks.com, guest.example.com is configured in ClearPass.

    I'm new to Aruba IAP. Can someone explain how it works ?




  • 7.  RE: Aruba IAP Guest Certificate

    Posted 23 days ago

    The captive portal certificate on the IAP is what the AP will respond to when the client is logging in.  This is not the ClearPass certificate, ClearPass gets a separate certificate that matches whatever you are redirecting to.

    The IAP captive portal certificate FQDN is the value that you input to ClearPass as the "Address" for the login portion.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 8.  RE: Aruba IAP Guest Certificate

    Posted 23 days ago

    My question is: What IP address should the IAP captive portal certificate FQDN resolve to?

    We have multiple IAP clusters




  • 9.  RE: Aruba IAP Guest Certificate

    Posted 23 days ago

    Nothing.  That FQDN shouldn't exist in DNS at all.  The IAP will respond to the DNS query directly, and the client device will interact with the IAP.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 10.  RE: Aruba IAP Guest Certificate

    Posted 17 days ago

    Thanks for the update , For instance, on the self-registration page, we've specified guest.example.com in ClearPass. We need to install a captive portal certificate with CN = guest.example.com, which should be a publicly signed certificate. Also, this guest.example.com does not require a DNS IP.Is my understanding is correct ?

    Is this certificate used for  communication between ClearPass and the IAP ??




  • 11.  RE: Aruba IAP Guest Certificate

    Posted 17 days ago

    Answered in your other thread on this topic.

    https://community.arubanetworks.com/discussion/captive-portal-is-not-working-in-apple-iphones



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------