Security

Hello all, we are setting up a new CPPM guest setup.  We have our cppm vm in our DMZ with a data port in a dmz subnet and our management port on the internal network subnet.  We currently have 2 7240 MCs with our guest SSID internally.  I have it working that when a user connects to our guest network it does bring them to the guest login page.  They put in their email and it gives them a password etc.  They login and it brings me to "Please wait while connected to the network".  After that the page times out and I have no radius requests at all in access tracker.  Any ideas as to why this is happening?  Thanks in advance for everyone's help.  

Do you have a valid public or valid trusted certificate installed on the controller for the weblogin?

Hey Dustin,

I do have a valid public IP for the data port of my clearpass server and an external DNS record for it.  Thank you for your help!

I was asking if you had a public certificate signed and issued to the aruba controllers, and do you have it assigned for weblogins?

My fault!  I do not have any type of public cert on the controller as of yet.  Is that something that needs to be done before it will work?

If the device doesn't trust the certificate presented when the user submits the login information, you wont see the login hit Clearpass. You could test by manually trusting the certificate from the controller and see if it works.  What kinds of devices are you testing with? Do all of them fail at login?

How would I manually trust the cert?  Just an iphone, mac PC and some laptops.

Like ayman says above, you will want to get a public certificate signed by a trusted CA like entrust. This way any guest coming into the wireless network can validate it against a trusted root. This is best practice, and a lot of device manufacturers are now implementing more strict security methods to protect users. Apple being one of them.

Hi Kpomer1,

Yes, you need a trusted certificate for the controller to deploy it in a secure manner.

As shown below, the device will post back to the controller in Step 6.

The address where it should post back is specified in the ClearPass Guest Page. By default, it is securelogin.arubanetworks.com and the controller already has "untrusted" certificate for this. By default, we use https for post back (Use Vendor Default)

You will need to install a trusted certificate on the controller, and update your ClearPass guest page. You need to change the "securelogin.arubanetworks.com" to match the common name for the certificate that you installed on your controller. So if you have a certificate for guest.example.com, then set the same on Clearpass.

If you installed a wildcard certificate on your controller *.example.com, then set the captiveportal-login.example.com on ClearPass.