Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive Portal SSL Certificates on Aruba 8 Master-Standby

This thread has been viewed 49 times

  • 1.  Captive Portal SSL Certificates on Aruba 8 Master-Standby

    Posted Nov 06, 2018 03:06 PM

    Hi guys,

     

    I'm still struggling with this hierarchy thing on Aruba 8. I have two controllers on Master-Standby mode, no MM in this setup.

     

    So far I found that most of the setup sould be done on root level (so to speak), mobillity controller level in this case, and some of them should be done on a controller level.  If you have by any chance some docs that help to clarify which configurations are done in which level, will be pretty much appreciated.

     

    Anyway, now I need to upload an SSL certificate for the captive portal but some questions popped out.

    How many CSRs do I need to generate? In which level should I generate the CSR, in the mobillity controller (root) level or in the controller-node level? 

    What IP should I point the DNS record? To the controller IP or to the VRRP IP?

    The valid public cert or certs that I get, should I upload them in just one controller (root level) or both controllers (node level)?

     

    Man, I don't even know if I'm using the right terms.

     

    Any help is very welcome.

    Regards,



  • 2.  RE: Captive Portal SSL Certificates on Aruba 8 Master-Standby

    EMPLOYEE
    Posted Nov 06, 2018 04:31 PM

    Rule#1 with AOS8 - Always deploy with an MM, otherwise you will be scrambling figuring out what does not work without an MM (like clustering,Airmatch, EDIT centralized configuration).

     

     

    The answer to generating a CSR is always "Do it offline".  If you do it on a specific controller, you can only upload the certificate to that specific controller.  If you generate a CSR offline with OpenSSL you can upload the resulting certificate to as many controllers as you want.

     

    You do not require a DNS record in your infrastructure, because when you upload the certificate to the controller, it reads the fqdn, intercepts all DNS requests for that fqdn and answers with the local controller's ip address.  If you optionally upload custom HTML to the controller, you would simply have to reference the fqdn of the certificate in the "submit" and the client will always be redirected back to the ip address of the local controller for authentication.

     

    If you had an MM, you would simply upload the certificate by going to 

    Configuration> System> Certificates> Import Certificates and click the + sign.  You would then upload with certificate type of "ServerCert".  Make sure your context is as high as it can be in the heirarchy.  If you don't have an MM, since there is no sync, you would have to do it on one controller and then the other.  If you had an MM, all the controllers that are at or under that folder in the heirarchy will automatically obtain and install the certificate (see what is going on here?).  You would not have to do anything at the node level.

     

    To answer generally, the node level is for very specific things like ip addresses and interface configuration.  Many organizations deploy with their interfaces in the same configuration, with an MM, so they have to do little if any node-specific configuration.

     



  • 3.  RE: Captive Portal SSL Certificates on Aruba 8 Master-Standby

    Posted Nov 06, 2018 08:16 PM
      |   view attached

    Hi there,

    Thanks for your reply. I was doing dome tests and found something interesting. With the master-standby setup something very similar to the MM happens, because most of the settings I do on this level are pushed to the nodes. 

    Before your reply, I was testing a certificate that with a CSR generated from the "Mobility Controller" level and noticed that the cert was added in both controllers.

    And I did a quick test applying the cert to the management GUI, and it worked on both controllers.

     

    So since there's no MM and only two controllers I think that the hierarchy is somewhat similar to the MM hierarchy configuration.

    I've attached a screenshot to show this hierarchy similar to the MM.

     

     

     

     



  • 4.  RE: Captive Portal SSL Certificates on Aruba 8 Master-Standby

    EMPLOYEE
    Posted Nov 06, 2018 08:21 PM

    Reading back on your post you said Master/backup master.  I stand corrected (on the configuration replication).



  • 5.  RE: Captive Portal SSL Certificates on Aruba 8 Master-Standby
    Best Answer

    Posted Nov 07, 2018 02:17 PM

    Hi cjoseph!

    Thanks again for your help.

    I also tried the cert on the captive portal and it was shown successfully on the web browser, no need to redirect the FQDN to a particular IP as you pointed out.

     

    Regards,



  • 6.  RE: Captive Portal SSL Certificates on Aruba 8 Master-Standby

    Posted Oct 10, 2019 12:09 PM

    Not sure if versioning matters, but i just created a sslforfree cert, without generating a csr or my lab.  

     

    When i installed it on my MM, it did not show up in the MC's.   

    2MM to MC .

     

    When i installed the cert on the MC, it told me to use a different name because it was already there, however, the changes i made in the Web-Server Policy didn't apply from top down.

     

    So i simply changed the dispaly name added the same cert (also removed from MM just in case)...

     

    Not entirely sure i need a ServerCert on the MM for captive since it doesn't do anything anyway, so in my case the MC teir worked fine.  Copied to both MC's and when i changed the Web-Server cert from default to guest it worked on both as well.