Security

Hi All,

I'm currently in the process of testing Aruba Central (MSP mode) with the "hosted" Guest Portal feature.

I'm using IAP-315s updated to the recommended firmware.

It all seems straight forward and works well, except for the Certificate Error message that comes up due to the included Aruba Certificate not being trusted.

For a good guest experience, I would like to obviously ensure that there is no certificate error message.

The Aruba Central documentation is pretty light in this area (I'm guessing because it’s a fairly new feature) so I would appreciate if someone could confirm if the following process is correct.

1. Using OpenSSL, Create an CSR and submit to your Public Root Certificate Authority

• Based off the instructions here: https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025
• Apparently we can use any domain name can be used for the captive portal cert, however being used publicly and signed by a Root CA, you need to have authority over that domain name.
• It doesn't actually have to resolve to anything, however I found these notes in the Aruba Central guide "until customers are allowed to configure CName as part of the configuration. The customer must open a TAC ticket to activate the new certificate for Cloud Guest Service."

1. Get the signed certificate back from the CA, and add the certificate to the Aruba Central Portal: Customer -> Network Management -> Configuration  -> [Group Name] -> Wireless -> Security
2. Add the Public Root CA certificate as a CA Certificate
3. And the newly signed certificate from the original CSR as a Server Certificate
4. Open an Aruba TAC ticket to activate the new certificate for Cloud Guest Service

Is this process correct? What is the typical turn-around to get the CName added to the configuration?

Regards,

Rowan Sakul

Hi!
I´m in the same situation, doing a POC with a customer and they want to try the cloud guest portal and I need to add our own certificate.

Like you said the documantation is pretty light on this subject

Brgds

An answer for this question would be pretty good.

Anyone was able to upload a certificate and get rid of the certificate message ?

A certificate is now provided in Aruba Central for use with Cloud Guest.

Team,

Just following up to see if anybody has had success in getting the CA cert loaded into Cental

We haven't tried using the new provided certificate yet.

To get our own working correctly, we had to load into a Windows machine, then export it with the full certificate chain to include all of the relevant root and intermediate certificates.

With the resultant .pfx we loaded into Aruba Central in the PKCS12 Certificate File Format.
We also had a password on the .pfx file

The new certificate is again shared by all devices sold by Aruba and uses securelogin.hpe.com as the URL, instead of old compromised securelogin.arubanetworks.com.

You can verify what the IAP is using, by using command show captive-portal-domains on IAP.

I am attaching a picture of Central configuration needed to push down the new certificate to the IAP. This shall remove the SSL error you see, even opening a HTTP site on first go.

PS: Aruba recommends you upload your own certificates instead of using Aruba provided certficates, which are shared among large number of devices.

Hello,

we dont want to use the default certificate. Do we need two certificates like we do in a setup with clearpass?

One certificate for the access point and another of the public captive portal? Can we use our own public certificate / a-record in the central enviroment?

I would like to use something like:

guest-logon.company.com - IAP

guest-portal.company.com - Aruba Central Guest

Thanks in advance

Patrick

Hi Patrick,

One certificate for the access point and another of the public captive portal? 

- I believe so, you have the following Usage Types for certificates:

--Certifcate Authority

--Autentication Server

--Captive Portal (this is for the Guest Splash pages)

--Radsec

--Radsec Certificate Authority

Can we use our own public certificate / a-record in the central enviroment?

- You can, but you need to be very careful that it is chained correctly otherwise you'll get SSL errors, we've found Android devices pretty picky. (Even with the Aruba supplied default cert, we had to request an updated, properly chained one)

- You may also need to override the Common Name on the Guest Portal by doing the following:

Please set ‘’override common name’’ under Splash page settings as mentioned below:
1. From the app selector, click Guest Access. The guest access configuration and management menu options are displayed
2. Click Splash Page. The Splash Page pane is displayed
3. Select the appropriate group from the group selector. You can create splash page profiles only for the individual groups. The splash page creation function is not available if the page view is set to All Groups
4. On the Configuration tab, select for ‘’Override Command Name’’
5. Click the Override Common Name toggle switch for ‘securelogin.hpe.com’. The common name is the web page URL of the guest access portal
6. Save the changes