Cloud Managed Networks

Hi, We have encountered some issues related with Aruba central and his function Cloud Guest (redirect issue). We set up a custom Guest portal with user verification (sms and e-mail). We knew that pop-up in iOS (auto-login is prevented) is disabled and we are ok with that. However, we noticed that: 1. When the client device is associated (iOS) and the user opens the browser (safari) and tries to open a https (SSL) URL in order to get redirected. Safari browser does nothing. We thought that was related with the whitelist and because the device's browser cannot validate the cert. We tested the whitelist and it seems is working, so we discarded that. The only way to get redirected is by entering a http URL (no SSL) 2. We scanned the captive portal of the cloud Guest (Aruba Central) and we noticed that the default Cert is signed by a root CA (DigiCert) and passed with good grade but with some warnings about the use of TLS v1 and a pending approval by Google and Mozilla (browsers) 3. We continued with the investigation and testing w/o changing the certs and we discovered that when we cleaned up the cookies and history in safari browser (iOS) the redirect works even when you are trying to get redirected with HTTPS, and not only with HTTP. 4. Meanwhile, we have been reviewing the comments and problems that some users have with Certs and based on their comments we decided to use a signed root CA cert (public) for Aruba Central Here, my question: -In order to achieve the change of cert, do we need to change the cert in only Aruba central or do we need to change the cert in the IAPs (Authenticator) as well, so we can get redirected properly? Thanks in advance, Edgar.

First some constructive critcism, it would signifcantly help if you could slightly format your text, to make it a bit more readable:-)

 

In a guest captive portal workflow there are usually two relevant certificates, which need to be issued by a Public CA in order to be trusted broadly by wireless clients.

 

1. Guest Portal Certificate (Captive Portal aka Splash Page)
2. Web-Server Certificate on Instant AP

With Cloud Guest (CG) Aruba provides 1), signed by Comodo with the CG subscription. You can't replace that certificate as it is tied to your splash page in Cloud Guest.

 

Instant automatically triggers a redirect to the CG portal, once it sees HTTP/HTTPS connections coming from an unregistered device.

 

For 2) you can theoretically upload your own publically signed certificate.

Under Global Settings > Certificates, you can upload a custom certificate, which is pushed to your IAPs.

 

Under Wireless Management > Security > Certificate Usage > Captive Portal you can then select your custom certificate.

 

Please note, that if you move away from the aruba_default CP portal certificate (signed by DigiCert), and replace it with your own, you need to configure the setting "Override Common Name" in the splash page and specify a string that matches the CN of your new cert.

 

I don't really see any major benefits of replacing that certs, for pretty much all CG customers, what Aruba provides out of the box works well.

Thanks for your comments and answering my  doubts. I usually divide down my ideas when i write down but the system didn't respect the format :) ... it was my first time posting something in the system of this community.

 

I read your reply and the folllowing are my comments:

 

- We still experience issues with the redirect in iOS and Android when client device is trying to open a HTTPS page. the most affected OS is iOS.

 

- I ran Curl commands to launch http and https and try to see if redirect happened and i confirmed that only 302 happens with http. 

 

- When I posted this, We hadn´t had any open case with Aruba Support. Now, we have been collaraborating with them during _at least_ two weeks to find out where is the problem..I will let you know the outcome and the RCA.

 

- Personally, I still believe is related with certs and perhaps with a time out.

 

Sincerely, 

 

Reality shows that some clients/OS versions just don't like captive portals;-) So it could be in the end client specific.

 

There have been instances where some versions of Instant lead to redirect issues on some isolated clients.

 

You might want to check your current Instant firmware and maybe compare release notes with any newer versions available, if something was fixed that could explain your behavior. But this is exactly where TAC is there to help.

 

IMHO, this is beteween the IAP and the client. Cloud Guest is only the captive portal to which the client is redirected. The redirect itself is triggered by the AP.