Security

last person joined: 23 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Captive Portal cert error with Android

This thread has been viewed 39 times

  • 1.  Captive Portal cert error with Android

    Posted Sep 19, 2018 11:36 AM

    I'm in the process of building out my new wireless guest network with Aruba controller (8.3.0.2) and Clearpass (6.7.5) controllers and am having an issue wtih a certfiicate error.   I have a certificate from DigiCert on clearpass as well as my controllers and it seems to work fine.  When i connect to my captive portal on a windows laptop, i get the captive portal pop-up and can log in with no certificate issues.  I have a test iPad here as well and samething, connect and login with no certificate error.

     

    Now on 5 different androids (runnig on different versions), i connect to network, get the captive portal pop-up which is https and thats fine. But when i click login i get the certificate error.   I only seem to get the cert error on androids.  I need another apple device or two to test with to verify it with that as well, but the ipad and windows devices are fine.

     

    I would think something like digicert would be already loaded on android devices as its a pretty common 3rd party certificate company.  has anyone had issues with android phones/tablets having a certificate error where other vendors seem to be fine?

     

    I have an HTTPS certificate on clearpass signed from DigiCert, i also have 3 individual HTTPS certificates on my controllers (each controller has their own and its stacked with the intermediate and root ca together in one).  

     



  • 2.  RE: Captive Portal cert error with Android

    EMPLOYEE
    Posted Sep 19, 2018 11:53 AM
    1. You should use one, single name, generic captive portal certificate across all controllers
    2. Server certificates should only be uploaded with leaf + intermediates


  • 3.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 12:29 PM

    I have followed the guide listed here:

    https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Web-Login-NAS-Address-configuration-options-in-single-and-multi/ta-p/275426  (the last part Using Unique Captive Portal Certificates Per Controller)

    Since i am in a multi controller setup each with their own individual cert, i have those all added in the header html area.  On each controller i have their own certs, each with their own common name. But i also have SANS created for them for different things.  One of those SANs entries is the dns address of the cluster of controllers.  That is the entry that is referneced in the IP address after on the captive portal page on the clearpass. 

     

    For the second part, so my stack of certs should not include the root ca? just the ssl cert and intermediate?



  • 4.  RE: Captive Portal cert error with Android

    EMPLOYEE
    Posted Sep 19, 2018 12:31 PM
    You should not use different certificates on each controller.

    Yes, leaf + intermediate only.


  • 5.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 12:36 PM

    Having 3 different public certs on each controller though cause an issue with Android's and their cert error and not on apple or windows?



  • 6.  RE: Captive Portal cert error with Android

    EMPLOYEE
    Posted Sep 19, 2018 12:41 PM
    It’s good to get to a baseline best practice configuration before continuing to troubleshoot.


  • 7.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 12:53 PM

    Thanks. I will go about doing that now and test it out.  One more question, so when creating the certificate, the common name should not be in dns?  And that common name is what i will put in the IP Address field on the captive portal webpage config in clearpass?

    So if i create something like captive-portal.mydomain.com as the common name for all of my controllers, that is the samething i put in the webpage config?  



  • 8.  RE: Captive Portal cert error with Android

    EMPLOYEE
    Posted Sep 19, 2018 12:59 PM
    Correct, you don’t put anything in DNS and a generic name is fine (network-login.youdomain.com, captiveportal.yourdomain.com, etc). The CN of the cert is what goes in the weblogin config in ClearPass.


  • 9.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 01:57 PM

    OK, i used openssl and created the cert with keys and uploaded it to digicert, got my new one, combined the ssl cert and the intermediate ca in one file, then uploaded that same cert to all of my controllers and that went through. 

    I then updated my web login address so it is captive-portal.<mydomain>.com, which is the samething i used as the common name in the certficate.  now when i connect i get the error saying captive-portal.<mydomain>.com can't be found.   since there is no dns entry for it, how does it know to go back to the controller? 

     

    see attached



  • 10.  RE: Captive Portal cert error with Android

    EMPLOYEE
    Posted Sep 19, 2018 02:04 PM
    Run “show datapath fqdn” on the controller and ensure it is the common name of the cert.


  • 11.  RE: Captive Portal cert error with Android

    Posted Sep 19, 2018 02:35 PM

    It originally showed up only as securelogin.arubanetworks.com.  I changed the web-server profile on the highest folder for the controllers, but that didn't seem to work.  So i had to manually change it on all of the controllers and now it shows up correctly in the show datapath fqdn and the captive portal does work now. 

     

    I test with my devices, and the windows/ipads are working the same now.  and with androids, its been spotty.  either my phone doesn't get the certifcate error anymore or it goes away really quickly and i don't have to accepty.  my tablet does the samething.  i had one of my co-workers phone didn't get the cert error, but another's did.  so not sure if its related to something with android or something else. 

     

     



  • 12.  RE: Captive Portal cert error with Android

    Posted Sep 06, 2019 10:06 AM

    I am having the same issue. Were you ever able to resolve it?



  • 13.  RE: Captive Portal cert error with Android

    Posted Aug 23, 2021 08:04 AM
      |   view attached
    Same issue seems happening with AOS ver 8.6.0.11 with android devices ... even when using a valid public cert for captive portal ..
    once we choose to "continue anyway via browser" we get redirected to valid HTTPS://  ...captive portal  
    all works fine with Windows - issue is with Android devices .. 
    Any feedback from anyone that has made this work - or found a workaround is appreacited

    ------------------------------
    Marvin Spiteri
    ------------------------------

    Original Message


  • 14.  RE: Captive Portal cert error with Android

    EMPLOYEE
    Posted Aug 24, 2021 07:38 AM
    What is shown if you select VIEW CERTIFICATE?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 15.  RE: Captive Portal cert error with Android

    Posted Aug 25, 2021 02:39 AM
    Hello Herman

    the actual certificate is a valid public certificate on customer setup - in fact same certificate is used on windows clients with no issues at all 
    I have a TAC case open and they say it is from end device (and I agree that the trigger for this is from the android side) there is nothing wrong with Aruba config - but I am still looking for a possible solution as this is bothering end users and our customer is getting complaints ..

    ------------------------------
    Marvin Spiteri
    ------------------------------

    Original Message


  • 16.  RE: Captive Portal cert error with Android

    EMPLOYEE
    Posted Aug 25, 2021 03:30 AM
    Can you try to stop redirecting HTTPS (or blocking HTTPS, except for traffic to your external captive portal if you have one?

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 17.  RE: Captive Portal cert error with Android

    Posted Sep 13, 2021 01:12 AM
    Issue was resolved 
    turned out to be public cert was not properly chained
    thanks

    ------------------------------
    Marvin Spiteri
    ------------------------------

    Original Message