I think I figured it out. You have to import the CA bundle into the controller. I was uploading a Root, Intermediate, then the certificate with private key. But the way to do it is import the certificate bundle with the private key and now it's working. Just a note for anyone who sees this in the future.
Original Message:
Sent: Jun 07, 2023 06:50 PM
From: ariyap
Subject: Captive portal certificate error with wildercard cert
you should not add captiveportal-login.domain.com as a SAN.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jun 07, 2023 12:57 PM
From: OESTech
Subject: Captive portal certificate error with wildercard cert
Thanks for your help ariyap. I was able to reissue the certificate with the SANs. I've installed it on the controller and assigned it to the captive portal. But I'm still getting the error with the new certificate. Any other ideas?
Original Message:
Sent: Jun 06, 2023 07:09 PM
From: ariyap
Subject: Captive portal certificate error with wildercard cert
yes you need SAN field for wildcard certs and you could use it for your clearpass node as well.
no you should not add captiveportal-login.domain.com as a SAN.
"captiveportal-login" just tells the controller / IAP to use their wildcard cert for captive portal redirection.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jun 06, 2023 07:02 PM
From: OESTech
Subject: Captive portal certificate error with wildercard cert
oh. I didn't add a SAN when I bought it. Will I need to have it reissued with a SAN that reads captiveportal-login.domain.com? I would like to use this for my Clearpass server too. Maybe I should have both names added?
Original Message:
Sent: Jun 06, 2023 06:58 PM
From: ariyap
Subject: Captive portal certificate error with wildercard cert
ok this setting is correct, so now the controller should have a wildcard cert with that domain.
what is the SAN field of the wild card cert that you have installed on the controller for captive portal usage?
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jun 06, 2023 06:54 PM
From: OESTech
Subject: Captive portal certificate error with wildercard cert
I beleve this is the setting: my understanding this is what to use if you're using a wildcard certificate.
Original Message:
Sent: Jun 06, 2023 06:46 PM
From: ariyap
Subject: Captive portal certificate error with wildercard cert
in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jun 06, 2023 06:39 PM
From: OESTech
Subject: Captive portal certificate error with wildercard cert
Thanks for the reply. No. I get the Clearpass captive portal page. I enter my Guest credentials, click connect, then I get the warning.
Original Message:
Sent: Jun 06, 2023 06:33 PM
From: ariyap
Subject: Captive portal certificate error with wildercard cert
generally when the client first connect to Guest network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Jun 06, 2023 12:08 PM
From: OESTech
Subject: Captive portal certificate error with wildercard cert
BTW, My Clearpass server has its own certificate clearpass.domain.com. It's not using the wildcard
Original Message:
Sent: Jun 06, 2023 12:05 PM
From: OESTech
Subject: Captive portal certificate error with wildercard cert
Hi All,
I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone. I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert."
Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com
I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.
I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.
For Clearpass, I installed the wildcard intermediate and root in the Trusted list.
When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com." If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."
Does this need Internet access to validate the certificate? My Guest-logon role only allows internal access to Clearpass. Am I using the incorrect web site for the captiveportal login?
Thanks for your help