Security

Hi,

I'm looking at getting a server certificate for a guest network to get rid of the cert error that pops up.

So when I generate the CSR, does the CN need to be resolvable by DNS?  Typically for a guest network they may use a public dns such as 8.8.8.8, so the name is not necessarily resolvable.

For the captive portal page to open, and I've confirmed with wireshark.

• client opens browser and does a dns lookup
• gets response and tries to open webpage
• controller sends a http redirect saying page has moved to 'securelogin.arubanetworks.com' or whatever the CN is in the cert.
• client does a dns lookup on securelogin.arubanetworks.com
• controller hijacks the response and changes it to be the ip of the controller.
• client opens page to controller ip and then captive portal page is presented.

So in theory, the CN on the cert shouldn't matter if it is not resolvable as the controller hijacks the dns response anyway.

Have I got that right?

Thanks

You're right, it doesn't need to be resolvable. I've tried witn a non-resolvable FQDN and it works just fine.ç

Regards

How does this work with ClearPass hosting the external captive portal?

My understanding is that when the guest connects to the wireless network and opens a browser they will be 302 redirected to 'https://cppm.company.local/guest/guest_page.php' or whatever the ClearPass guest registration page is in the Captive Portal profile.

If the guest network only has public dns servers like 8.8.8.8 they will not be able to resolve cppm.company.local

I guess that an alternative is maybe to use an IP address instead of host name. For example 302 redirect to 'https://10.10.10.10/guest/guest_page.php' instead.

I don't believe you can get a public SSL certificate with a CN of of a private IP address 10.10.10.10. 

Will the guests always get a warning in this case?

Cheers,

Chris

good question, does anyone have this setup working?

Yes, tested fine.  It is in a lab, but I basically needed a cert with a cn other than securelogin.arubanetworks.com, and it works.

:-)

This is a fairly common question.

The short answer is that Clearpass should have a CN in the cert that matches a resolvable FQDN (at which you point your redirect page). Note that this means registering your Clearpass FQDN of course! Treat your Clearpass like a proper web server in that respect and you'll do fine.

I wouldn't recommend using a private IP as it won't match the FQDN, and secure browsers won't trust it (so you won't achieve a goal of getting rid of the browser warnings).

I have seen people do things with their own DNS servers (private) to resolve this without registering properly (or via an internal FQDN). Again, I don't recommend this as it exposes internal DNS servers to security risks.

Note that in the next couple of years, security for web certs is changing, so Verisign for instance won't issue certs for FQDNs that aren't fully public. I.e. they won't give them out to private domains.

This link has details about it...

http://www.symantec.com/theme.jsp?themeid=cab-forum-changes