Wireless Access

 View Only
  • 1.  Captive-portal & certificate requirment

    Posted Apr 29, 2018 03:38 AM

    Hi All,

             In master-local setup  , if we configure master IP to display the captive portal page under L3 Authentication- captive-portal profile so that all the local controllers same captive portal page.

     

    would like to clarify below

     

    1) I hope the above requirement will work without any issues?

     

    2)  can have FQDN only for master controller IP?

     

    3) This will help to have only one certificate on the Master for captive portal and no need of any certificates on the local controllers?

     

     

    Please clarify



  • 2.  RE: Captive-portal & certificate requirment

    Posted Apr 29, 2018 04:17 AM


  • 3.  RE: Captive-portal & certificate requirment
    Best Answer

    Posted Apr 29, 2018 06:16 AM

    thanjavurubhavesh@gmail.com wrote:

    Hi All,

             In master-local setup  , if we configure master IP to display the captive portal page under L3 Authentication- captive-portal profile so that all the local controllers same captive portal page.

     

    would like to clarify below

     

    1) I hope the above requirement will work without any issues?

     

    2)  can have FQDN only for master controller IP?

     

    3) This will help to have only one certificate on the Master for captive portal and no need of any certificates on the local controllers?

     

     

    Please clarify


    The most efficient way is to have the same certificate for every controller.  That way the same Captive Portal profile URL will apply to all controllers in your cluster.  The Captive Portal Profile URL only serves to intercept the initial request when a client opens the browser and the submit when they enter their credentials; it has no connection to the network hostname of each controller.  When you upload a certificate for the captive portal on a controller, the controller will intercept any DNS requests for the fqdn of the uploaded certificate and respond with the ip address of the controller to the client (it is securelogin.arubanetworks.com by default).  By default that ip address wil be controller's management ip address.  You can use the "ip cp-redirect-address" command on each controller if you need that controller to be something like the controller's ip address on the guest subnet.

     

    Having the same certificate for each controller will only work if you create the CSR (Certificate Signing Request) outside of the controller, because creating a CSR on any controller only allows you to upload that specific certificate to that controller.  It is better to do the CSR offline and then upload the resulting certificate/CA combination to all controllers.

     

    To specifically answer your questions:

    1.  The requirement will work.

    2.  There is no requirement for the fqdn to resolve to anything really, because the fqdn is only needed to intercept the client dns requests for opening the captive portal page and then submitting credentials.  You could potentially have an fqdn like wireless.domain.com that resolves to nothing in real life, but the controller will intercept DNS requests for https://wireless.domain.com/guest/welcome.html and respond with its own ip address.  That is what makes it work across multiple controllers.

    3.  You will still need the same certificate on your masters and locals.

     

    I hope that helps.



  • 4.  RE: Captive-portal & certificate requirment

    Posted Apr 29, 2018 12:58 PM

    Colin,

     

    This post is the clearest and most design-oriented post I have seen on the requirements and considerations for this whole process.  I think this should be the first thing that comes up when doing a search for anything in this topic, and maybe even placed at the beginning of the Guest section in the ArubaOS User Guide.

     

    Would you spend a moment doing a similar recap for considerations in AOS 8.x with MM?  If there are any differences, such as when using ClearPass with clusters and which IP's are used there, that would be helpful to folks looking for guidance in an 8.x environment.

     

    Thanks!



  • 5.  RE: Captive-portal & certificate requirment

    Posted Apr 29, 2018 01:44 PM

    ryh,

     

    Thanks for reminding me.

     

    My advice above is specifically for controllers running 6.x with https certificates that would need to be installed on a controller in a basic multi-controller deployment without clearpass. 

     

    Kevin_PM  above posted a link here:  https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Weblogin-NAS-Address-configuration-options-in-multi-controller/ta-p/275426 that details how to configure the ClearPass web server (not 802.1x server) to accomodate multiple controllers with the same certificate, wildcard certificates (recommended) or different certificates.

     

    With regards to 8.x the same principles apply, but where you upload certificates and how you deliver them to the MDs (controllers) is what differs.

     

    Others can post their experiences below in response, because nothing is absolute and everyone has a different and possibly more efficient way of configuring or looking at things.