Security

Hello community,

 

I have an already working set up of Aurba controller 3600 using Guest module of Clearpass.

 

This have been working the last few years without any issues but we would like now to publich a public IP for clearpass in order for it to have a trusted certificate an avoid warnings while users try to connect.

 

I have checked the system tab under server configuration but I only see one space for IP server. The new public IP will be used for data and mngmt.

 

Is it possible to change this without interrumpt the service?

 

How should I proceed to minimize effect on this change?

 

Thank you in advance!

 

 

You do not need a public IP to have a public CA-signed certificate.

Hi cappali,

 

I've been checking lately for a SSL certification and something in common they told me it can only be used on domain, for which I require a public IP.

 

Could you please advice how can I proceed then? I need to avoid thos warnings when captive portals pops up.

 

Thanks

Hi Rodrigo,

 

You need to first create a CSR file and get it singed with external Certificate Authority and install that certificate on clearpass to prevent  users getting certificate warning messages while accessing the portal page.

 

Regards,

Pavan

You need to have a public SSL certificate. I always use openssl to generate the CSR (certificate signing request), which you need to get signed by a public CA (certificate authority). You can use my blog post to generate the certificate via openssl. I always use openssl and not generate the CSR directly on ClearPass or another server. The advantage of openssl is, that you always have a full backup, including the private key, of the certificate and you can easily change the format of the certificate from PEM to PFX to DER to whatever.

 

I would suggest you configure an IP address on the management interface for all internal communication and next you configure an IP address on the data interface, which you place in a DMZ network. On your firewall you can configure a NAT mapping to translate a public IP address to the private DMZ IP address of the ClearPass data interface. You can use the firewall to restrict access to the data interface, so only HTTPS is allowed to the specific IP address.

You do not need a public IP. Unless you have specific security requirements, just use the management port for all traffic.

The SSL companies will want to validate your domain (using WHOIS is the fastest method). They will send an e-mail to the e-mail address related to the WHOIS info of the domain. 

Say your public domain is labme.com and your CPPM server is offline but still has DNS entry (common name) cppm.labme.com, you can issue it a public cert without problems

Can you expand the reason you are trying to use a public ip ?


Get Outlook for iOS

Thank you for the reply to everyone and sorry for the delay. I have been busy with other projects.

 

Actually, I don't want a public IP, it requieres to change my setup and I prefer to change the less possible on the setup. What I want is to have an SSL certificate on my CPPM to certify the server.

 

My clients connect from remote locations to RAP's, the raps locate the clients in the VLAN where my CPPM without public access is, but we always have the warning of trusted server.

 

I you can give me the steps to have an SSL certificate, from the CSR generation up to the installation and any other required setup I would appreciate it.

 

 

Thanks

Can you please explain the warning a bit more (or provide a screenshot)?

---

@cappalli wrote:

Can you please explain the warning a bit more (or provide a screenshot)?

---

Hi cappali,

 

The users connect to and open SSID that uses an Clearpass as AAA. Before auth they do not have access to anything more than Controller and CPPM.

Now to authenticate they can have an automatically opened log in page, dpeending on the device (mostly latest android), or they have to use a browser to prompt the log in page in which case mostly the face the below warning.

 

Do you get a certificate error when you navigate to a non-HTTPS site like ebay.com?

---

@cappalli wrote:

Do you get a certificate error when you navigate to a non-HTTPS site like ebay.com?

---

No, it only happens hen login page interruprs an HTTPS site.

 

That’s normal.

But is there a way to avoid it?

 

I have clients which are not really good with technology and this avoid them to use my service.

 

Will an SSL be able to solve this? I have seen hotspots wifi life McDonalds or Starbucks and they do not have this issues.

 

 

Thanks

Were you using the same browser and same version ? It should do the cert warning too (unless a new feature is out and i'm not aware).

More details : 
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118826-config-https-webauth-00.html

http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

---

@Overclock wrote:

Were you using the same browser and same version ? It should do the cert warning too (unless a new feature is out and i'm not aware).

More details : 
http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/118826-config-https-webauth-00.html

http://community.arubanetworks.com/t5/Technology-Blog/Captive-Portal-why-do-I-get-those-certificate-warnings/ba-p/268921

---

Hi Overclock,

 

I have noticed newer vertions of Android have an iin-built feature that recognize captive portal functionalities. When the device contains this no warning appears as no interruption happens for the client.

 

Still for older devices I do not have a solution.

 

Thanks

Your only option is to redirect only HTTP traffic, but this suffers from UX issues as well.

No. You're intercepting an SSL session. The browser is doing exactly what it is supposed to.