Cloud Managed Networks

Reply
New Contributor

Aruba Central + Guest Portal, Certificate Management

Hi All,

I'm currently in the process of testing Aruba Central (MSP mode) with the "hosted" Guest Portal feature.

I'm using IAP-315s updated to the recommended firmware.

It all seems straight forward and works well, except for the Certificate Error message that comes up due to the included Aruba Certificate not being trusted.

For a good guest experience, I would like to obviously ensure that there is no certificate error message.

The Aruba Central documentation is pretty light in this area (I'm guessing because it’s a fairly new feature) so I would appreciate if someone could confirm if the following process is correct.

  1. Using OpenSSL, Create an CSR and submit to your Public Root Certificate Authority
  1. Get the signed certificate back from the CA, and add the certificate to the Aruba Central Portal: Customer -> Network Management -> Configuration  -> [Group Name] -> Wireless -> Security
  2. Add the Public Root CA certificate as a CA Certificate
  3. And the newly signed certificate from the original CSR as a Server Certificate
  4. Open an Aruba TAC ticket to activate the new certificate for Cloud Guest Service

 

Is this process correct? What is the typical turn-around to get the CName added to the configuration?

 

Regards,

Rowan Sakul

New Contributor

Re: Aruba Central + Guest Portal, Certificate Management

Hi!
I´m in the same situation, doing a POC with a customer and they want to try the cloud guest portal and I need to add our own certificate.

Like you said the documantation is pretty light on this subject

 

Brgds

Contributor II

Re: Aruba Central + Guest Portal, Certificate Management

An answer for this question would be pretty good.

Anyone was able to upload a certificate and get rid of the certificate message ?

Guru Elite

Re: Aruba Central + Guest Portal, Certificate Management

A certificate is now provided in Aruba Central for use with Cloud Guest.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Aruba Employee

Re: Aruba Central + Guest Portal, Certificate Management

Team,

 

Just following up to see if anybody has had success in getting the CA cert loaded into Cental

New Contributor

Re: Aruba Central + Guest Portal, Certificate Management

We haven't tried using the new provided certificate yet.

To get our own working correctly, we had to load into a Windows machine, then export it with the full certificate chain to include all of the relevant root and intermediate certificates.

With the resultant .pfx we loaded into Aruba Central in the PKCS12 Certificate File Format.
We also had a password on the .pfx file

Re: Aruba Central + Guest Portal, Certificate Management

The new certificate is again shared by all devices sold by Aruba and uses securelogin.hpe.com as the URL, instead of old compromised securelogin.arubanetworks.com.

 

You can verify what the IAP is using, by using command show captive-portal-domains on IAP.

 

I am attaching a picture of Central configuration needed to push down the new certificate to the IAP. This shall remove the SSL error you see, even opening a HTTP site on first go.

 

Capture.PNG

 

PS: Aruba recommends you upload your own certificates instead of using Aruba provided certficates, which are shared among large number of devices.

 

paw
Contributor I

Re: Aruba Central + Guest Portal, Certificate Management

Hello,

 

we dont want to use the default certificate. Do we need two certificates like we do in a setup with clearpass?

 

One certificate for the access point and another of the public captive portal? Can we use our own public certificate / a-record in the central enviroment?

 

I would like to use something like:

guest-logon.company.com - IAP

guest-portal.company.com - Aruba Central Guest

 

Thanks in advance

Patrick

New Contributor

Re: Aruba Central + Guest Portal, Certificate Management

Hi Patrick,

One certificate for the access point and another of the public captive portal? 

- I believe so, you have the following Usage Types for certificates:

--Certifcate Authority

--Autentication Server

--Captive Portal (this is for the Guest Splash pages)

--Radsec

--Radsec Certificate Authority

 

Can we use our own public certificate / a-record in the central enviroment?

- You can, but you need to be very careful that it is chained correctly otherwise you'll get SSL errors, we've found Android devices pretty picky. (Even with the Aruba supplied default cert, we had to request an updated, properly chained one)

- You may also need to override the Common Name on the Guest Portal by doing the following:

Please set ‘’override common name’’ under Splash page settings as mentioned below:
1. From the app selector, click Guest Access. The guest access configuration and management menu options are displayed
2. Click Splash Page. The Splash Page pane is displayed
3. Select the appropriate group from the group selector. You can create splash page profiles only for the individual groups. The splash page creation function is not available if the page view is set to All Groups
4. On the Configuration tab, select for ‘’Override Command Name’’
5. Click the Override Common Name toggle switch for ‘securelogin.hpe.com’. The common name is the web page URL of the guest access portal
6. Save the changes

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: