Your answer was the solution. It is working with public FQDN and private address.
Many thanks.
Original Message:
Sent: Jul 16, 2024 05:29 AM
From: Razovnyik
Subject: Clearpass Guest Access certificate error
Thank you for your explanation and your comments, I will get back to you after the implementation.
BR
Original Message:
Sent: Jul 16, 2024 05:19 AM
From: Herman Robers
Subject: Clearpass Guest Access certificate error
One thing on having private IP in public records is that I've seen some firewalls/DNS servers, in order to protect against DNS Rebinding, can filter out private IP responses from public DNS servers. If your guests use an internal DNS server that has such a protection, you may need to disable that for the domain that you use for the guest captive portal.
But it's simple for you to test with a domain name that I use:
% dig cppm.arubalab.com @8.8.8.8;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29358;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1;; QUESTION SECTION:;cppm.arubalab.com. IN A;; ANSWER SECTION:cppm.arubalab.com. 10834 IN CNAME cppm.nl.arubalab.com.cppm.nl.arubalab.com. 34 IN A 192.168.32.51;; Query time: 8 msec;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
If this really would be a problem, the large public DNS providers would filter out these responses as it would be a very easy way. Also, expect that it sounds weird, I would not see the issue as you as domain owner put in a pointer to an IP address that has limited accessibility; similar to if you would put in a public IP and firewall traffic to it. Jonas (and others) confirmed that this approach works, and if it feels better for your friend, get a public IP and use that with/without NAT, nothing prevents you from doing that, just don't think it's needed.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 16, 2024 03:10 AM
From: Razovnyik
Subject: Clearpass Guest Access certificate error
But, a friend of mine told me, registering internal addresses on public DNS records is a kinda bad move, the service provider can even withdraw the NS from us.
It this really the best practice?
Allow access to the local DC is simple not possible, because the goal of the GuestWfi is to have a separate and independent internet access from the Internal zones.
So currently I dont know where to go.
Thanks your comments!
Original Message:
Sent: Jul 15, 2024 09:25 AM
From: Herman Robers
Subject: Clearpass Guest Access certificate error
If you have a wildcard, you can use the same for ClearPass and the AP; if I'm correct that's also what I have done in the video.
For ClearPass, you indeed need to have a DNS entry, which can be in a (local) DNS server which is accessible from the guest network (or networks where you use the captive portal from); but putting it in public DNS, indeed with an RFC1918 private IP, that is more reliable as some devices (I've seen iPhones doing that) seem to use a public DNS server or do the DNS resolution even via the cellular network.
The AP will 'spoof' it's IP when it sees a DNS request for the first SAN of your installed certificate (or captiveportal-login.* for a wildcard cert) through the AP/controller.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 15, 2024 08:46 AM
From: Razovnyik
Subject: Clearpass Guest Access certificate error
So I have to request a Public Certificate which has the FQDN of the Clearpass server in the SAN field, okay its not a proiblem because I have a wildcard cert.
And I should create a public DNS record which points to an internal (RFC1918) ip address? Or how will the client know the address of the Clearpass server?
The same is the case with the AP.
Thank Herman!!
Original Message:
Sent: 7/15/2024 8:14:00 AM
From: Herman Robers
Subject: RE: Clearpass Guest Access certificate error
Check this video series, most relevant Installing the HTTPS certificate on ClearPass, and the Guest section.
Certificate matching these days works based on the SAN, no longer on the CN, but normally when you request a web server certificate on FQDN the first SAN is set to the CN.
Because the SAN is set to a FQDN, it's no problem if the ClearPass server is on an internal (private) IP address, as long as you can map a public DNS name (FQDN) to that private IP.
You will need a certificate for your ClearPass and one for the AP or controller; which is explained in those videos.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 15, 2024 03:55 AM
From: Razovnyik
Subject: Clearpass Guest Access certificate error
Hello Everyone!
We have deployed a Clearpass Guest access, with sponsor approval, everything works smoothly, apart from one major issue, the Portal is not trusted by the Guests.
How can we make the portal trusted for the Guests?
Where should we upload a public cert, to the AP which serves the SSID?
And what should that CERT contain in the CN? I mean the portal is on Clearpass server which has an internal address.
What is the best practice?
Thanks in advance,
Mate