Security

Hello,

We have a setup where Clearpass Guest is used for Self registration with multiple controllers.

We purchased a certificate for clearpass to remove the certificate error and it worked.

However when the user logs in with his account, a certificate error appears when Clearpasss posts the credentials to the controller URL/IP.

How can this error be removed? Can we make it an HTTP connection when Clearpass posts to the controller? Or do we need to add a certificate to the controllers

Please note that we have a mixed environment with Aruba as well as Cisco controllers.

Thanks in advance

So the users are getting a cert error on the Captive Portal page?

I have a certificate from Geotrust on my controllers for securelogins.my domain.com.  I also have an cert on CPPM but I had to load it in two places.  Note on the page that you loaded the cert that there is a drop down for Radius Server and HTTPS server.  Load the same CPPM cert on each of these. 

Also on the CPPM Guest self registration setup make sure your redirect URL for securelogins matches your certificate on the controller.  If you are using the default certificates from Aruba it should already be matching I think.

in essence ClearPass doesn't POST to the controller you do that yourself from the browser. and if where you post to is a HTTPS resource then the certificate has to match to host you POST to. in ClearPass you can control if you want to POST to HTTP or HTTPS i believe, but you might also have to allow that on your Cisco WLC side.

Hello, I have had the same issue, and it is one that arises when you replace the default captive portal certificate on the Aruba controller (securelogin.arubanetworks.com).

First step is to change the URL in the ip address field on on the NAS vendor setting page of self registration configuration. 

Don't use the controller IP adress here, you have to use the same URL as the certificate CN have.

If the certificate is issued to captiveportal.contoso.com, you write captiveportal.contoso.com as IP address in this field (default value is securelogin.arubanetworks.com).

Don't worry about a dns entry for this URL, DNS doctoring magic will sort it out.

Once that this is done, your some computers and browser should work fine.

Others might be a bit more tricky, for instance the MAC/Safari combo. They want to visit various URL's from the certificate chain of your new captiveportal certificate. More specific the CRL and OCSP URL's. You have to give access to these destinations for the guest users prior to authentication through captive portal.

There are a few options to do this, the way I have done it, is I created a destination list on the Aruba controller, and added this to the whitelist section of the captive portal profile on the controller.

 You can use URL's as destinations, as long as you have a DNS server configured on the controller (syntax "ip name-server 8.8.8.8", requires restart of controller), and then it will be up to date if they decide to change IP of some of these URL's.

Don't have access to screenshots at the moment, but hopefully this info is useful