How does Aruba Controller work with wild card certificate for captive portal authentication?
An Aruba mobility controller ships with a default SSL certificate with the Comman Name(CN): securelogin.arubanetworks.com. The behavior of the controller is to adopt the name defined in the CN of the certificate as its virtual name. This means that any time a wireless client connected to the captive portal ssid, it attempts to resolve the name securelogin.arubanetworks.com, the controller will always return its switch IP by default.
When using a 3rd party wildcard SSL certificate is used for captive portal, the CN on that certificate will be used to redirect to the captive portal page. For example, if the SSL certificate has the CN: wifi.example.com, then wifi.example.com will always resolve to the switch IP of the controller.
For the captive-portal redirection, the certificate mapped for captive portal should have FQDN as the CN in the cerificate. In case of wildcard cerificate, an asterisk is used to signify that any host name can be used with that certificate. When a wildcard SSL certificate is installed on the mobility controller for captive portal, it replaces the asterisk with the host name "captiveportal-login". In our example, the virtual name will be "captiveportal-login.example.com"
In the packet capture, the controller replies saying that it has “temporarily moved” to <https://captiveportal-login.arubanetworks.com/[string that identifies client]>.