Security

Reply
Frequent Contributor I

Clearpass https certificate SAN

Hi,

 

i have the following on my Aruba controller :

 

login-page "https://192.168.203.30/guest/guest.php"

 

Whenever a user connects his browser gets a warning in IE or Chrome because the Clearpass server https certificate has CN=wifi-003 instead of 192.168.203.30.  It is possible to continue, but not a nice setup.

 

The logical solution would be to create a selfsigned certificate, register the name in dns.

Here comes the problem...  The certificate signing server is in a domain, which is not externally available.  So let's assume it's in domain contosa.com.  This domain is only available internal.

So i could create a selfsigned certificate wifi-003.contosa.com, change the login-page to :

 

login-page "https://wifi-003.contosa.com/guest/guest.php"

 

but nobody could resolve it since the guest network only has Google's dns servers for resolving.

 

I do not have any detail what a browser verifies, but i assume creating a selfsigned certificate on the certificate server in domain contosa.com with CN=wifi-003.contosanew.com also would not work?

 

I noticed however the SAN option in the CSR is available in Clearpass.  Can this one be used to specify a FQDN which we do own?  And then specify that FQDN in the login-page?  

Guru Elite

Re: Clearpass https certificate SAN

Pnobels,

 

There are two requirements for the message not to show up.:

 

1 - The Client Trusts the Certificate or the CA that issued the certificate

2 - The SAN matches the redirect address

 

For #1, you need a public certificate.  For #2, you need a cert with a proper SAN fqdn.  Unfortunately, public CAs only issue public certificates for domains that you own publicly, so you must own the domain to get a public fqdn certificate for it.  Please see "CA changes for Internal FQDN’s and RFC1918" in the 

Certificates 101 Technote here https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=19184

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Guru Elite

Re: Clearpass https certificate SAN

For the DNS issue, you have two options:

- Add ClearPass IP to public DNS

- Utilize the DNS proxy feature of your upstream router


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: