thanjavurubhavesh@gmail.com wrote:
Hi All,
In master-local setup , if we configure master IP to display the captive portal page under L3 Authentication- captive-portal profile so that all the local controllers same captive portal page.
would like to clarify below
1) I hope the above requirement will work without any issues?
2) can have FQDN only for master controller IP?
3) This will help to have only one certificate on the Master for captive portal and no need of any certificates on the local controllers?
Please clarify
The most efficient way is to have the same certificate for every controller. That way the same Captive Portal profile URL will apply to all controllers in your cluster. The Captive Portal Profile URL only serves to intercept the initial request when a client opens the browser and the submit when they enter their credentials; it has no connection to the network hostname of each controller. When you upload a certificate for the captive portal on a controller, the controller will intercept any DNS requests for the fqdn of the uploaded certificate and respond with the ip address of the controller to the client (it is securelogin.arubanetworks.com by default). By default that ip address wil be controller's management ip address. You can use the "ip cp-redirect-address" command on each controller if you need that controller to be something like the controller's ip address on the guest subnet.
Having the same certificate for each controller will only work if you create the CSR (Certificate Signing Request) outside of the controller, because creating a CSR on any controller only allows you to upload that specific certificate to that controller. It is better to do the CSR offline and then upload the resulting certificate/CA combination to all controllers.
To specifically answer your questions:
1. The requirement will work.
2. There is no requirement for the fqdn to resolve to anything really, because the fqdn is only needed to intercept the client dns requests for opening the captive portal page and then submitting credentials. You could potentially have an fqdn like wireless.domain.com that resolves to nothing in real life, but the controller will intercept DNS requests for https://wireless.domain.com/guest/welcome.html and respond with its own ip address. That is what makes it work across multiple controllers.
3. You will still need the same certificate on your masters and locals.
I hope that helps.