Security

Hello,

 

we recently updated our Instant Access Antennas and the ClearPass Appliances to the latest builds. We are running a Guest WebPage for client access which is working fine - just new Apple Devices running IOS11 are not connection to the public SSID for Guest Networks.

Of course I've read the hints concerning the SHA-1 changes on Apples new IOS, but as we just updated our appliances, the certs are self signed on SHA-256 Certs.

 

Now - we want to put a public cert on all Instant Controllers, but I'm not sure wich CN or Details we should add to the CSR.

 

Currently, the CN = setmeup.arubanetworks.com as the default Value.

which cn can we use as the instant controller is kind of dynamic. Where can we lookup the hostname to choose the cert name for?

 

many thanks and br

Patzed

Use something generic like network-login.domain.xyz. Use the same certificate across all of your controllers/VCs.

thanks for the fast reply.

 

so there is no need to assign any SAN and/or IPs for this cert?

I use to deliver certs to webservers, but then the CN has to match the servers IP/DNS Name, this can be ignored for the portal?!

 

2nd Question:

Can you confirm the new "state" that iOS 11 Devices are unable to connect to a non protected wifi if there is no official cert in place? The same Portal is working with iOS 10.3 and SHA-256 is in place..

 

br and thanks

Patzed

 

 

Correct. The name can be generic as the controller/VC will intercept requests for it. The CA should automatically add the CN as a SAN. IPs are not permitted in public CA-signed certificates.

 

I'm not sure about iOS 11, but a public CA-signed certificate should always be used, regardless of OS version.

Thanks again, 

 

sure - the signed cert should always be the preferred solution. I just wondered which type of certificate I need to upload?

 

When I logon to the guest portal via notebook, the certificate is shown as the local webserver-gui certificate, but I cannot verify this via the iphone. I guess I can just option/type:

 

-> Captive-Portal-Server -> X509 with passphrase not the option Default "Web UI Server Certificate" ?

 

br

Patzed

Select Captive Portal server as the type.

http://www.arubanetworks.com/techdocs/Instant_653_WebHelp/InstantWebHelp.htm#UG_files/Authentication/Certificates.htm#authentication_586225611_1051249

Having simular captive portal issues with our 7030.  We are using 384 bit ECDSA certs signed with SHA384 on a private CA server for our Captive Portal for Guests and BYOD.  From what I am reading above, in order for IOS 11 to connect to our captive portals we now need public certificates?  No exceptions or work arounds.  Even if I make the CA public facing with OCSP.  Thanks. 

Yes, you absolutely need a public CA-signed certificate for captive portal redirection and the ClearPass HTTPS cert for guests and Onboard. That has always been a requirement.

Hi there!

 

I've got some instant-style Aruba IAP-205s that are also not letting iOS 11s in (it claims the password is incorrect, whenever anyone tries username/password-style authentication).  I gathered instructions all over the web (especially from these boards, which are terrific) and uploaded a public-CA-signed PEM file as a Captive Portal certificate, and changed the Captive Portal URL (which we don't really use, nobody ever navigates there, previously its URL was just /) to match the arbitrary URL I used for the SSL certificate.

 

But, of course, in a browser it's still coming up as insecure when I log into the administrative console, which is still at https://instant.arubanetworks.com:4343/, since that doesn't match our certificate's new domain.  Should I be concerned?  How can I resolve this?

 

Thanks!

You don't really need to worry about the admin UI.
If needed, add a DNS entry to match the name for the VC IP.

Thanks Tim.  Truthfully I'm new to the Arubas and not wholly sure how our default captive portal works; we have 'Users for Internal Server' set up with usernames and passwords, folks use them to connect (only the iOS 11 folks no longer can).

They are always prompted as to whether or not they want to trust the certificate; they say yes, enter their password, and it fails.  This is still happening after installing the custom public CA-signed SSL, so I've definitely done something wrong.  Can you clarify about the DNS entry, please?

To clarify, is this captive portal or 802.1X?

I am not 100% sure how to tell.  I assumed from my investigations that this iOS11 issue was a captive portal issue, especially after going into the 'Security' settings and noticing that we HAD one (called 'default').

 

According to the settings for the wireless SSID in question...

1) WLAN Settings
Primary usage: Employee

2) VLAN
Client IP assignment: Network assigned
Client VLAN assignment: Default

3) Security
Key management: WPA-2 Enterprise
Authentication Server 1: InternalServer
Rauth interval: 0 hrs
There are a bunch of unchecked boxes. There is the 'default certificate' for the internal service and an 'upload certificate' button where I could, I realize now, upload my new certificate?
None of the 802.11 boxes are checked

4) Access
Unrestricted

 

Is that enough for you to go on?  If you need more information, please let me know.  Thank you so much for helping me with this, I really appreciate it!!

Looks like you're using 802.1X

Couple of things:


1. You should be using an external RADIUS server
2. The default certificate should never be used

It's best if you open a TAC case.

I'm not surprised to hear that the setup on this is very out of date.  What is the proper method for me to open a TAC case, should I just call in?