Security

After connecting to a guest SSID with a captive portal, if a user is trying to go to an https site, the client/browser will likely throw the certificate error "err_cert_common_name_invalid". This is triggered due to strict checking because the SSL certificate on the Clearpass and the SSL certificate on the requested https site do not match.

Now I know the fix is to simply go to an http page so the certificate issue won't trigger upon the initial redirect to the captive portal. However I was wondering if anyone already found a better fix or a more creative workaround for this issue? We have an end-customer with a large campus and hundreds of guests and they regularly get questions about this. End-users will often mistakenly assume there is an issue with the wireless due to the certificate error.

 

For example, Apple made a workaround by implementing captive network assist so the user doesn't get the opportunity to open his browser but immediately gets the captive portal upon connecting to the SSID. This works great on mobile devices but I'm looking for a more global solution if possible. (preferably on Clearpass and not the client side)

 

Unfortunately it's an industry wide problem.

Device makers need to step up here. Windows 10 should pop up the default browser and attempt to hit an http site which works great. Most newer Android devices have a captive portal browser.

Thanks for the feedback Cappalli, I kinda guess I knew the answer already but I was hoping I was wrong. 

 

We also tried enabling http redirection and this does fix the cert errors for some clients. However most clients are still getting the error, which makes sense of course. From a technical/security perspective, the error is a good thing however in reality it is rather annoying.

 

It is as you say though, device makers should step up. We are nearing 2017 and there still isn't a global fix for this rather simple problem. If Microsoft for example would make something similar like captive network assist, the problem would be fixed for 95% of the end users.

Captive portal specific browsers are not ideal. Apple's has many limitations. The way Windows 10 is handling this is likely the best way going forward.

You can also check this blog post: http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

 

One of the suggestions is to remove the redirect for HTTPS, which might be what you described (or not). That will at least stop the certificate warnings for other devices than Windows 10 and applications running in the background.

The blog post explains the problem quite well however the workaround suggestions are pretty terrible. I guess we'll just have to deal with the certificate errors.

 

The author did speak about a new standard which is in the works, RFC7710. This seems like a very interesting solution but it will probably take a couple of years before being available.

 

 

Hi,

 

We are currently experiencing this problem in our installation. Old android OS phones need to follow certain steps to be able to view the captive portal page.

i created user guide for this said users. please see attached guide for reference. 

 

The endusers are always telling the IT staff that they cannot connect to the wireless network because of the said error.

 

Is there a solution to solve this problem?

 

We are running ClearPass Policy Manager 6.6.0.81015

The wireless network consist of 7205 mobility controller and AP-315 access point.

 

I would upload more reference images for your reference.

 

BR,

Carlo

 

 

Do you have a public CA-signed certificate on the controller for captive portal?

thank you for the quick response. base on my knowledge we havent placed any CA certificate in the controller. In their existing wireless network when we tried connecting no steps are done to be able to access the captive portal. is there a chance we could copy that certificate if theres any in the old controller to the new aruba controller?

 

existing controller is HP Procurve MSM737 controller.

If it’s publicly signed, you could try and get it off that controller. If not, you’ll need to acquire a public CA signed certificate for the new controller.

Hi,

 

could you provide a site where we could apply for the said certificate? we have already generated a CSR file already all we need is the certifying body to approve it.

Use your preferred public CA.