Controllerless Networks

 View Only
last person joined: 11 hours ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Expand all | Collapse all

How do I generate a CSR from an Virtual Controller?

This thread has been viewed 57 times
  • 1.  How do I generate a CSR from an Virtual Controller?

    Posted May 28, 2015 02:35 PM

    I have a couple IAP-105s, and I am using the Virtual controller. I want to use WPA2-Enterprise with local authentication and wish to replace the self signed cert. How do I generate a CSR to send to a CA?

     

    I can't find an option in the Web-UI.

     

    Thanks

    Justin

     



  • 2.  RE: How do I generate a CSR from an Virtual Controller?
    Best Answer

    EMPLOYEE
    Posted May 28, 2015 02:57 PM

    There is no facility to generate a CSR.  Unfortunately, you need to do this outside of instant.  

     

    After you get the certificate from the CA, you need to ensure it is in .pem format and upload it to instant.

     

    EDIT:

     

    Most CA have tools to generate a CSR and sign the certificate.

     

     

     



  • 3.  RE: How do I generate a CSR from an Virtual Controller?

    Posted May 28, 2015 03:01 PM

    Ok. Thanks. I can Generate a CSR outside , what would you use for a common name?

    instant.arubanetworks.com?

     

    Thanks

    Justin

     



  • 4.  RE: How do I generate a CSR from an Virtual Controller?

    EMPLOYEE
    Posted May 28, 2015 03:04 PM

    I guess the question is, what are you using it for, Web, 802.1x?  If you are using it for 802.1x the fqdn does not really matter; it would specificially matter if your clients are being configured to only trust that host.  If you are using it for Captive Portal, it needs to be chosen carefully.



  • 5.  RE: How do I generate a CSR from an Virtual Controller?

    Posted May 29, 2015 10:00 AM

    I just want it to not error for my clients when they connect to the Wifi network. We are not doing a captive portal.

     

    I have a test certifiate from Thawte that I can put in a single text file. Certificate, Intermediate, and root CA. I save it as a .PEM file but I get a pass phrase error. I have tried CSRs with and without pass phrases. Same error each time.

     

    Thanks

    Justin

     



  • 6.  RE: How do I generate a CSR from an Virtual Controller?

    EMPLOYEE
    Posted May 29, 2015 10:03 AM

    Honestly, the certificate should go on your radius server doing the 802.1x authentication, not your IAPs.  Uploading 802.1x certificates on IAP requires, termination, which few people do.  Upload it once to your server and you should be done.  

     

    Whether or not your clients get an error will depend on if that OS has that CA in their trusted list.



  • 7.  RE: How do I generate a CSR from an Virtual Controller?

    Posted May 29, 2015 10:05 AM

    I should have mentioned I am just using the internal user database. 

     

    Justin

     

     



  • 8.  RE: How do I generate a CSR from an Virtual Controller?

    EMPLOYEE
    Posted May 29, 2015 11:37 AM
    Then you will need to upload to the IAP, yes.


  • 9.  RE: How do I generate a CSR from an Virtual Controller?

    Posted May 29, 2015 11:55 AM

    I have a file like this:

     

    -----BEGIN CERTIFICATE-----
    <cert here>
    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----
    <intermediate cert here>
    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----
    <CA root cert here>
    -----END CERTIFICATE-----

     

    I try to upload it and I get a passphrase error. I have tried CSRs with and without passphrases.

     

    Justin

     

     

     



  • 10.  RE: How do I generate a CSR from an Virtual Controller?

    EMPLOYEE
    Posted May 29, 2015 12:02 PM

    You should only need the server and intermediate cert.  Try it without the CA cert at the bottom.

     



  • 11.  RE: How do I generate a CSR from an Virtual Controller?

    Posted Oct 10, 2016 02:51 PM

    Hi,

     

    "If you are using it for Captive Portal, it needs to be chosen carefully."

     

    with regard to the revoked Instant AP certificate and an installation with clearpass: what fqdn should I use ??



  • 12.  RE: How do I generate a CSR from an Virtual Controller?

    EMPLOYEE
    Posted Oct 10, 2016 03:00 PM
    You can use any FQDN for the domain you own. I'd recommend something
    intuitive like "network-login.domain.xyz".


  • 13.  RE: How do I generate a CSR from an Virtual Controller?

    Posted Oct 10, 2016 03:05 PM
    so it does not matter which name I put in and it just has to correlate with what I enter in clearpass for it to POST the credentials? right?


  • 14.  RE: How do I generate a CSR from an Virtual Controller?

    EMPLOYEE
    Posted Oct 10, 2016 03:07 PM
    Correct!


  • 15.  RE: How do I generate a CSR from an Virtual Controller?

    Posted Dec 07, 2016 12:47 AM

    Hey Tim,

    @ all

     

    I am still little confused about the whole certificate thing with IAPs and Clearpass. I read that Aruba recommends to just use HTTP in conjunction with Clearpass Guest and IAPs. But still, if I configure my guest access for just only http, I get redirected to the clearpass website for entering my credentials (which is normal) but the clearpass website is https-only. So my guests still get a certificate warning.

    This certificate is the HTTPS certificate from clearpass which I am able to change. But a guest gets redirected to the plain IP of my clearpass data-port.

    So, should I go ahead and buy a certificate with a CN=dataport IP? If so, I will get certificate warnings when configuring the clearpass from mgmt port. That is acceptable, but not nice....

    The alternative would then be to go for a certificate with a SAN (SubjectAlternateName) of my dataport IP? Or am I missing something?

     

    Many thanks for every little hint.

     

    Stefan



  • 16.  RE: How do I generate a CSR from an Virtual Controller?

    EMPLOYEE
    Posted Dec 07, 2016 10:27 AM

    Aruba does not recommend using HTTP for authentications.

     

    Please take a look at the ClearPass Certificates 101 TechNote: https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=19184



  • 17.  RE: How do I generate a CSR from an Virtual Controller?
    Best Answer

    Posted Dec 07, 2016 11:10 AM

    Hey Tim,

     

    thanks for the Cert101.

    As a SAN is not allowed anymore to be a Private IP Address and my DataPort is in a Private IP Range... How do you accomplish this? Just give Clearpass a public certificate with the CN="DataPort IP"? I want my guest users to have a "smooth" experience...



  • 18.  RE: How do I generate a CSR from an Virtual Controller?

    EMPLOYEE
    Posted Dec 07, 2016 12:28 PM

    What is the FQDN of the data IP? That's what should be in the certificate.



  • 19.  RE: How do I generate a CSR from an Virtual Controller?

    Posted Dec 07, 2016 12:36 PM
    unfortunately there is no fqdn for this private ip. so do I have to have a DNS server in the dataIP Subnet that can resolve the name of the data port?
    Public DNS servers cannot resolve my internal server names...
    At this moment the Data Subnet just has Clearpass IP and a Cable Modem as DHCP server and DNS forward.
    Os it possible to get no certificate warning with this configuration? Right now I doubt this...