Security

Hi,

We have a master-redundancy controller enviroment with a SSID setup for guests which uses a captive portal. The aim is to have both controllers be able to service the users via the guest captive portal no matter which on is master, whilst leveraging HTTPS and publicly trusted certificates.

My questions are about what the recommended setup for the Captive portal URL and what sort of certificate to use?

With the captive portal URL I assume I have to use a DNS resolvable domain name (that matches the CN in the public cert) which is going to be shared by both WLC's? What is the best practise to have this domain name resolve to either WLC depending on which on is master? Should I create a VRRP instance in the guest VLAN and have the domain name resolve to the VRRP master IP? Also in regards to the DNS I assume I need to use our internal DNS server to resolve the domain name to a private IP? Is there a better way of doing this or a way that we can use a public DNS server?

In the captive portal profile if I were to use a domain name that resolves to a VRRP master IP would i just put the URL as domainname.domain/auth/index.html or something else?

With regards to public signed certificates what is recommened setup in this scenario? To use a single publicly signed cert with the CN as the VRRP domain name? Or if VRRP isn't used to use a single wild card certificate for both WLC or create a certificate and create a SAN entry for each WLC?

Thanks-in-advance

You should use a single public certificate for both.  DNS does not matter, because either controller that a user is on will "snoop" for DNS requests for the fqdn of the name in the web certificate and return the ip address of the controller.

For example, if you have a single certificate that you use for both controllers that is captiveportalhost.domain.com, your captive portal authentication profile should have https://captiveportalhost.domain.com/upload/login.html.  When the cient requests https://captiveportalhost.domain.com, the controller will see the DNS request and return the ip address of the controller that the user is on.  By default the ip address is the controller's management ip address.  You can use the "ip cp-redirect-address" command on each controller to modify that ip address to be the ip address of the controller on the guest VLAN.

Long story short, if there is a failover, and APs and clients end up on the backup master, the clients will have the same captive portal authentication profile and when a client does a dns request for http://captiveportalhost.domain.com, the backup master will return its own ip address.

I hope that helps.

One word of Caution:  If you intend to put a single captive portal certificate on two controllers, you cannot do the CSR on  either controller, because the resulting certificate will be tied to that one controller.  You need to do the CSR external to the controller.

Hi Joseph,

Thanks for your explaination.

I do have similar scenerio but i have clear pass where we are hosting captive portal.

What is your question?

My question is what URL should i use in both controllers running aurba OS8 to redirect to cpative portal which is hosted on clear pass[ clearpass configured in publisher-subscriber setup and also have VIP, controller are configured as master-standby with out mobility master.

Also what i should mention in web login page setting in clear pass,

so that clear pass send response to active controller.

For controller mgmt ip which controller use to send as source in radius packets towards clear pass and clear pass must return radius response packet to active controller.