I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone. I have a Digicert wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert."
Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com
I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.
I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.
For Clearpass, I installed the wildcard intermediate and root in the Trusted list.
When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com." If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."
Does this need Internet access to validate the certificate? My Guest-logon role only allows internal access to Clearpass. Am I using the incorrect web site for the captiveportal login?
Thanks for your help
BTW, My Clearpass server has its own certificate clearpass.domain.com. It's not using the wildcard
I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone. I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert."
generally when the client first connect to Guest network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?
Thanks for the reply. No. I get the Clearpass captive portal page. I enter my Guest credentials, click connect, then I get the warning.
in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?
I beleve this is the setting: my understanding this is what to use if you're using a wildcard certificate.
ok this setting is correct, so now the controller should have a wildcard cert with that domain.
what is the SAN field of the wild card cert that you have installed on the controller for captive portal usage?
oh. I didn't add a SAN when I bought it. Will I need to have it reissued with a SAN that reads captiveportal-login.domain.com? I would like to use this for my Clearpass server too. Maybe I should have both names added?
yes you need SAN field for wildcard certs and you could use it for your clearpass node as well.
no you should not add captiveportal-login.domain.com as a SAN.
"captiveportal-login" just tells the controller / IAP to use their wildcard cert for captive portal redirection.
Thanks for your help ariyap. I was able to reissue the certificate with the SANs. I've installed it on the controller and assigned it to the captive portal. But I'm still getting the error with the new certificate. Any other ideas?
you should not add captiveportal-login.domain.com as a SAN.
I think I figured it out. You have to import the CA bundle into the controller. I was uploading a Root, Intermediate, then the certificate with private key. But the way to do it is import the certificate bundle with the private key and now it's working. Just a note for anyone who sees this in the future.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.