Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

External Captive Portal with public controller certificate

This thread has been viewed 45 times
  • 1.  External Captive Portal with public controller certificate

    Posted Aug 10, 2017 05:18 PM

    Hi:

    If I load a valid public certificate on a controller, will it intercept DNS request for that address and return its own IP?

    (or does it only do that for securelogin.arubanetworks.com?)

     

    I'm trying to setup a Clearpass captive portal.

    The user redirects properly to a Clearpass login page.

    In the Clearpass Guest login page setup I set the posting address to the name of the certificate on the controller.

    On the controller, that public certificate is set as the Captive Portal Certificate.

     

    But when logging in, the user gets a DNS failure message.

     

    I'm guessing I could put an entry in my local DNS server for the controllers' name, but I'd rather avoid that if I can.

     

    Should the controller intercept this, or is there something else I need to do?

     

    Thanks.

     



  • 2.  RE: External Captive Portal with public controller certificate
    Best Answer

    EMPLOYEE
    Posted Aug 10, 2017 05:21 PM

    The controller will answer for the FQDN defined as the common name of the captive portal certificate. Do not create an entry in DNS.



  • 3.  RE: External Captive Portal with public controller certificate
    Best Answer

    EMPLOYEE
    Posted Aug 10, 2017 05:29 PM

    The controller will always intercept DNS requests for the fqdn on the controller's web server certificate.   If you haven't please take a look at the document here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

     

    The question is, have you uploaded the certificate on the controller and selected that for use in the Captive Portal?

     

    Configuration> Management> General> Captive Portal Certificate.

     

    You would use the "show datapath fqdn" command to confirm what the fqdn of the controller is:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-know-the-common-name-of-the-certificate-that-is-mapped-in/ta-p/290920



  • 4.  RE: External Captive Portal with public controller certificate

    Posted Aug 10, 2017 06:00 PM

    Thank you, both Tim and Colin.

    "show datapath fqdn" is a great command to know about!

     

    Even though the GUI showed the new, correct certificate for Captive Portal, 'show datapath fqdn' output showed securelogin.arubanetworks.com.

     

    I set the Captive Portal Certificate to default, hit apply, then set it back to the new cert, and hit apply.

    Now the CLI command shows the name of the new name, and the user authenticates correctly.

     

    Thanks.



  • 5.  RE: External Captive Portal with public controller certificate

    Posted Jul 09, 2019 06:03 PM

    Hi Zeke,

    I had the exact same problem 

    "Even though the GUI showed the new, correct certificate for Captive Portal, 'show datapath fqdn' output showed securelogin.arubanetworks.com."

    "I set the Captive Portal Certificate to default, hit apply, then set it back to the new cert, and hit apply.

    Now the CLI command shows the name of the new name, and the user authenticates correctly."

     

    Even after i have reapplied at the GUI a week later it dropped off again.Which meant I had to repeat the process

    This is extremely frustrating.

    Paul

     



  • 6.  RE: External Captive Portal with public controller certificate

    Posted Oct 22, 2019 04:10 AM

    Hi Paul,

     

    did you get this resolved? What version are you using?

     

    Looks like I encountered the same issue on the project I'm on now. AOS 8.5.0.3

     

    thanks for letting me know,

     

    edit: I have to use a wildcard certificate on the controller but captiveportal-login.domain is no longer resolved to the controller either.

     

    Erik



  • 7.  RE: External Captive Portal with public controller certificate

    Posted Oct 22, 2019 09:51 AM

    just found out.It's no longer captiveportal-login.domain but just domain in 8.5.0.3; maybe in earlier versions too.

     

    rgds

    Erik



  • 8.  RE: External Captive Portal with public controller certificate

    Posted Jul 03, 2020 09:30 AM

    Need to correct above. The provided "wildcard" certificate actually wasn't a wildcard certificate but a certificate with domain as CN and 2 different *.domain in the SAN field. 

     

    So instead of using captive-portal.domain I had to use domain in the NAS fields