Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

ClearPass Landing Page Redirect - Switch IP

This thread has been viewed 5 times

  • 1.  ClearPass Landing Page Redirect - Switch IP

    MVP
    Posted May 12, 2017 09:54 AM

    I'm working with a customer who has APs split between their controllers. We are doing HTTPS login after registration and have a valid cert on both controllers. Problem is, we don't know which controller to submit to. I want to setup a landing page that keys off of the switch ip in the redirect to send them to registration pages that have NAS login to their respective controllers. Any chance someone has the code available to do this or know what I need to write up? 

     

    Thanks.



  • 2.  RE: ClearPass Landing Page Redirect - Switch IP

    Posted May 12, 2017 09:59 AM
    Are you using different certs for the captive portal on each controller ?


  • 3.  RE: ClearPass Landing Page Redirect - Switch IP

    EMPLOYEE
    Posted May 12, 2017 10:01 AM
    You should not need to do this if you’re using the same captive portal certificates on each controller (which is recommended).


  • 4.  RE: ClearPass Landing Page Redirect - Switch IP

    MVP
    Posted May 12, 2017 10:13 AM

    But don't we have to submit it back to a DNS name? The certs on the controllers are wildcard, but the DNS entries are different.



  • 5.  RE: ClearPass Landing Page Redirect - Switch IP

    EMPLOYEE
    Posted May 12, 2017 10:28 AM
    No, the controller intercepts the request for the common name. You don’t need DNS entries for controllers for captive portal flows.


  • 6.  RE: ClearPass Landing Page Redirect - Switch IP

    MVP
    Posted May 12, 2017 10:45 AM

    Ok so what would I use in the nas-login address than, just leave it securelogin.arubanetworks.com and it will find its way back to the controller?



  • 7.  RE: ClearPass Landing Page Redirect - Switch IP

    Posted May 12, 2017 10:50 AM
    Just load the same cert for the captive portal on each controller and then use that name (securelogin.acme.com) in the ClearPass Guest page

    But if you don't want to do that then you will need to do the following:

    * Create two user roles
    * Create two captive portal profiles each pointing to a different captive portal page in ClearPass
    * And in clearpass you will need to do a policy where you need send the user-role based on the NAS-IP


  • 8.  RE: ClearPass Landing Page Redirect - Switch IP

    EMPLOYEE
    Posted May 12, 2017 10:51 AM
    You need to use the common name of your public CA-signed certificate. You cannot use securelogin.arubanetworks.com.


  • 9.  RE: ClearPass Landing Page Redirect - Switch IP
    Best Answer

    EMPLOYEE
    Posted May 15, 2017 03:13 AM

    In the case of a wildcard certificate, you should use captiveportal-login.<suffix of your wildcard>:https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

    https://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

     

    And as mentioned elsewhere, there is no need to put that name in DNS anywhere, as the controller will intercept the DNS request and respond with the correct IP for the controller. For that same reason, you can put the same certificate on all your controllers.



  • 10.  RE: ClearPass Landing Page Redirect - Switch IP

    MVP
    Posted May 15, 2017 11:35 AM

    That worked perfectly. Thank you all for your help and insight into this.