How to resolve securelogin.arubanetworks.com to DMZ controller's IP address when the guest traffic is tunneled to DMZ controller
Environment Typical environment where guest traffic is tunneled to DMZ controller from master/local controller or IAP.
We have seen issue with guest user authentication when the traffic is being tunneled from master/local controller or IAP to DMZ. Because DMZ controller is the authenticator but when the client tries to resolve securelogin.arubanetworks.com during guest login/post the master/local controller or IAP will respond with its IP address, since the default certificate CN of the controller matches the FQDN securelogin.arubanetworks.com.
Installing a new/dummy server certificate on master/local controller or IAP with different CN other than securelogin.arubanetworks.com (eg: xyz.arubanetworks.com or customerdomain.com) and mapping the installed certificate to Captive Portal under Configuration >> MANAGEMENT >> General, will tunnel securelogin.arubanetworks.com lookup query from client to DMZ and DMZ will respond to the client with its IP address for proper POST and authentication.
Install a dummy certificate on the DMZ controller and replace securelogin.arubanetworks.com with CN of new certificate in ClearPass Guest under self-registration or weblogin NAS Setting >> Ip/hostname.