Security

Reply
Occasional Contributor II

Captive Portal cert error with Android

I'm in the process of building out my new wireless guest network with Aruba controller (8.3.0.2) and Clearpass (6.7.5) controllers and am having an issue wtih a certfiicate error.   I have a certificate from DigiCert on clearpass as well as my controllers and it seems to work fine.  When i connect to my captive portal on a windows laptop, i get the captive portal pop-up and can log in with no certificate issues.  I have a test iPad here as well and samething, connect and login with no certificate error.

 

Now on 5 different androids (runnig on different versions), i connect to network, get the captive portal pop-up which is https and thats fine. But when i click login i get the certificate error.   I only seem to get the cert error on androids.  I need another apple device or two to test with to verify it with that as well, but the ipad and windows devices are fine.

 

I would think something like digicert would be already loaded on android devices as its a pretty common 3rd party certificate company.  has anyone had issues with android phones/tablets having a certificate error where other vendors seem to be fine?

 

I have an HTTPS certificate on clearpass signed from DigiCert, i also have 3 individual HTTPS certificates on my controllers (each controller has their own and its stacked with the intermediate and root ca together in one).  

 

Guru Elite

Re: Captive Portal cert error with Android

1. You should use one, single name, generic captive portal certificate across all controllers
2. Server certificates should only be uploaded with leaf + intermediates

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Captive Portal cert error with Android

I have followed the guide listed here:

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Web-Login-NAS-Address-configuration-options-in-single-and-multi/ta-p/275426  (the last part Using Unique Captive Portal Certificates Per Controller)

Since i am in a multi controller setup each with their own individual cert, i have those all added in the header html area.  On each controller i have their own certs, each with their own common name. But i also have SANS created for them for different things.  One of those SANs entries is the dns address of the cluster of controllers.  That is the entry that is referneced in the IP address after on the captive portal page on the clearpass. 

 

For the second part, so my stack of certs should not include the root ca? just the ssl cert and intermediate?

Guru Elite

Re: Captive Portal cert error with Android

You should not use different certificates on each controller.

Yes, leaf + intermediate only.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Captive Portal cert error with Android

Having 3 different public certs on each controller though cause an issue with Android's and their cert error and not on apple or windows?

Guru Elite

Re: Captive Portal cert error with Android

It’s good to get to a baseline best practice configuration before continuing to troubleshoot.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor II

Re: Captive Portal cert error with Android

Thanks. I will go about doing that now and test it out.  One more question, so when creating the certificate, the common name should not be in dns?  And that common name is what i will put in the IP Address field on the captive portal webpage config in clearpass?

So if i create something like captive-portal.mydomain.com as the common name for all of my controllers, that is the samething i put in the webpage config?  

Guru Elite

Re: Captive Portal cert error with Android

Correct, you don’t put anything in DNS and a generic name is fine (network-login.youdomain.com, captiveportal.yourdomain.com, etc). The CN of the cert is what goes in the weblogin config in ClearPass.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Captive Portal cert error with Android

OK, i used openssl and created the cert with keys and uploaded it to digicert, got my new one, combined the ssl cert and the intermediate ca in one file, then uploaded that same cert to all of my controllers and that went through. 

I then updated my web login address so it is captive-portal.<mydomain>.com, which is the samething i used as the common name in the certficate.  now when i connect i get the error saying captive-portal.<mydomain>.com can't be found.   since there is no dns entry for it, how does it know to go back to the controller? 

 

see attached

Guru Elite

Re: Captive Portal cert error with Android

Run “show datapath fqdn” on the controller and ensure it is the common name of the cert.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: