Controllerless Networks

With the recently emailed advisory regarding securelogin.arubanetworks.com, if the IAP Guest WLAN is only configured for INTERNAL – ACKNOWLEDGED, do I need to be concerned about this/will the revoked certificate cause an issue for guests using this configuration?

 

Thank you.

Yes.  If the guest browser is configured to detect a revoked certificate, it might not let the user connect.

Thanks for the prompt reply Colin.  If this is indeed the case, what’s the best way to resolve this as I see no reason to have an SSL certificate if I’m not securing anything.

If you haved a captive portal, then you are securing the connection between the client web browser are the portal.  This needs to be encrypted,  you can use a self-signed certificate but this may still cause tehe browser to throw up an error as it would be untrusted by the browser.

I see—shame considering SSL is really not required here.  Does my certificate need to be for securelogin.example.com or will any host work?  If the former, is there a way to change this?  There is little documentation here, at least as it specifically relates to IAP, and this covers http://community.arubanetworks.com/t5/Wireless-Access/Certificate-quot-securelogin-arubanetworks-com-quot/td-p/239148 as well.  Also, do I need to reboot everything or will this Just Work once the new certificate is uploaded?  Thank you.

We just posted a few FAQs:
https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814

Thanks for the prompt reply Tim.  While this covers why a certificate is needed, it doesn’t mention Subject Names or if a reboot is required for the change to be effective.  I imagine Aruba has a major head ache on their hands for anyone that uses the built-in captive portal for Guest WLANs.

The common name can be anything. I'd recommend it be somewhat user friendly. Something like "network-login.domain.xyz". A public certificate is highly recommended for captive portal.

A reboot is not required.

Hi cappalli!

I assume that an A recond in DNS should be created for "network-login.domain.xyz", am I right? To which ip address it should be pointing?

Is it possible to use wildcard cert?

No. No DNS record is required. Wildcard certs can be used on Instant 4.3 and greater.

Hello, 

 

I´m having the same issue on instant APS. Failed to make a good presentation to a customer beacuse of this issue who has a demo AP at their office. 

 

How could we solve this in an easy fashion, free of cost and avoiding to install a certificate on each device (which is pretty obvious in a guest wifi) ?

 

Thanks

Take a look at this: https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814

Already read it, but found no explanation on how to create a public certificate and i understand it has a cost asociated, is this correct?

 

On the other hand, how can i hand in APs to a client who has no knowledge of certificates? If we should now work on every client for this purpose the time consuming is really big, which doesnt happen on most of the rest of the Wireless companies... 

It explains how to create a CSR. We can't cover each public certificate provider as they all differ. It's a pretty easy process and is very inexpensive.

---

@Tincho.AB wrote:

Already read it, but found no explanation on how to create a public certificate and i understand it has a cost asociated, is this correct?

 

On the other hand, how can i hand in APs to a client who has no knowledge of certificates? If we should now work on every client for this purpose the time consuming is really big, which doesnt happen on most of the rest of the Wireless companies... 

---

You have two choices:

 

- Upgrade to Instant 6.4.4.8-4.2.4.3 or above and it will automatically generate a self-signed certificate that is not signed by a public authority.  Their users will still get an error, but it will not be revoked.

- Create a CSR using an offline tool (OpenSSL) and submit it to a certificate authority that will give you a public certificate and depending on the certificate, your users will not get any errors.  http://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025    Some certificate authority will allow you to create a personal certificate (www.startssl.com) for non-commercial use and it will be free.  Again, I am not suggesting startssl, but it is one of the CA's out there that offer that service...

After reading this thread it seems that Aruba is not going to fix this issue and there will be no feature that allows the admin to disable the requirement for a certificate in order to get to the Guest portal disclaimer page.