Original Message:
Sent: Jul 04, 2025 02:46 PM
From: willembargeman
Subject: Clearpass Guest Access-Address field confusion
The FQDN is retrieved from the CN field in the certificate that is installed on the controller / instant AP. AP's managed via Aruba Central will automatically get the certificate securelogin.hpe.com.
To check the correct FQDN (after installing the certificate) you can use the following commands:
- Instant / AOS10: show captive-portal-domains
- Controller: show datapath fqdn
In ClearPass the config will look like this
The FQDN in the address field must match the FQDN of the AP / controller.
Because the AP / controller is in the datapath the DNS interception works. It just simple monitors the DNS requests and if the DNS request is for (in this case) securelogin.hpe.com it will respond to the request and not forward it to the DNS server of the client.
It's not possible to enable/disable or configure this feature. Changing the certificate will update the configuration.
------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
Original Message:
Sent: Jul 04, 2025 01:10 PM
From: mshamseddine@connectit.ae
Subject: Clearpass Guest Access-Address field confusion
Dear Willem
Thanks for your answer, this makes much more sense now. However, it is still not working in my case and stuck in the NAD fqdn redirect page. Is there an option on the controller or instant ap to enable this behavior, may you also clarify how the NAD device will intercept the dns traffic as it is being sent as unicast to the received dns server through dhcp ...
Original Message:
Sent: Jul 04, 2025 12:38 PM
From: willembargeman
Subject: Clearpass Guest Access-Address field confusion
When Aruba devices are used as NAD, the AP or controller will intercept the DNS request and respond with the AP/controller IP. It's not needed to create a DNS record on any DNS zone.
If non Aruba devices are used the behavior can be different.
------------------------------
Willem Bargeman
Systems Engineer Aruba
ACEX #125
Original Message:
Sent: Jul 04, 2025 11:40 AM
From: mshamseddine@connectit.ae
Subject: Clearpass Guest Access-Address field confusion
As per my understanding, in a controller-initiated method, after the client submits the guest form via his browser, the ClearPass guest instructs the web browser of guest device to post the credentials to the NAD device address(aruba controller for example), and this address should match the cn of server cert installed on the NAD device. My confusion here is that how the user device will resolve this address ? how the device's browser will figure out the ip of the NAD device ?
I did several tests in my lab, after submitting the form, the browser is redirected successfully to that Address, but the page is failing because the cn is not resolvable, the only way to make it work is to enter a static entry in the etc/host in the device i'm testing from, i believe i'm missing something here but i cannot figure out what it is. I saw one deployment where there are multiple branches with multiple controllers and instant VCs, all using same public cert and same self-registration page on cppm, so how this is possible ?