Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Contributor I

External Captive Portal with public controller certificate

Hi:

If I load a valid public certificate on a controller, will it intercept DNS request for that address and return its own IP?

(or does it only do that for securelogin.arubanetworks.com?)

 

I'm trying to setup a Clearpass captive portal.

The user redirects properly to a Clearpass login page.

In the Clearpass Guest login page setup I set the posting address to the name of the certificate on the controller.

On the controller, that public certificate is set as the Captive Portal Certificate.

 

But when logging in, the user gets a DNS failure message.

 

I'm guessing I could put an entry in my local DNS server for the controllers' name, but I'd rather avoid that if I can.

 

Should the controller intercept this, or is there something else I need to do?

 

Thanks.

 


Accepted Solutions
Highlighted
Moderator

Re: External Captive Portal with public controller certificate

The controller will answer for the FQDN defined as the common name of the captive portal certificate. Do not create an entry in DNS.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Guru Elite

Re: External Captive Portal with public controller certificate

The controller will always intercept DNS requests for the fqdn on the controller's web server certificate.   If you haven't please take a look at the document here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

 

The question is, have you uploaded the certificate on the controller and selected that for use in the Captive Portal?

 

Configuration> Management> General> Captive Portal Certificate.

 

You would use the "show datapath fqdn" command to confirm what the fqdn of the controller is:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-know-the-common-name-of-the-certificate-that-is-mapped-in/ta-p/290920


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post


All Replies
Highlighted
Moderator

Re: External Captive Portal with public controller certificate

The controller will answer for the FQDN defined as the common name of the captive portal certificate. Do not create an entry in DNS.



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Guru Elite

Re: External Captive Portal with public controller certificate

The controller will always intercept DNS requests for the fqdn on the controller's web server certificate.   If you haven't please take a look at the document here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

 

The question is, have you uploaded the certificate on the controller and selected that for use in the Captive Portal?

 

Configuration> Management> General> Captive Portal Certificate.

 

You would use the "show datapath fqdn" command to confirm what the fqdn of the controller is:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-know-the-common-name-of-the-certificate-that-is-mapped-in/ta-p/290920


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Video Knowledge Base
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide

View solution in original post

Highlighted
Contributor I

Re: External Captive Portal with public controller certificate

Thank you, both Tim and Colin.

"show datapath fqdn" is a great command to know about!

 

Even though the GUI showed the new, correct certificate for Captive Portal, 'show datapath fqdn' output showed securelogin.arubanetworks.com.

 

I set the Captive Portal Certificate to default, hit apply, then set it back to the new cert, and hit apply.

Now the CLI command shows the name of the new name, and the user authenticates correctly.

 

Thanks.

Highlighted
Occasional Contributor II

Re: External Captive Portal with public controller certificate

Hi Zeke,

I had the exact same problem 

"Even though the GUI showed the new, correct certificate for Captive Portal, 'show datapath fqdn' output showed securelogin.arubanetworks.com."

"I set the Captive Portal Certificate to default, hit apply, then set it back to the new cert, and hit apply.

Now the CLI command shows the name of the new name, and the user authenticates correctly."

 

Even after i have reapplied at the GUI a week later it dropped off again.Which meant I had to repeat the process

This is extremely frustrating.

Paul

 

Highlighted
Frequent Contributor I

Re: External Captive Portal with public controller certificate

Hi Paul,

 

did you get this resolved? What version are you using?

 

Looks like I encountered the same issue on the project I'm on now. AOS 8.5.0.3

 

thanks for letting me know,

 

edit: I have to use a wildcard certificate on the controller but captiveportal-login.domain is no longer resolved to the controller either.

 

Erik

ACMX#1245, ACDX#968, ACCP, ACSP
Highlighted
Frequent Contributor I

Re: External Captive Portal with public controller certificate

just found out.It's no longer captiveportal-login.domain but just domain in 8.5.0.3; maybe in earlier versions too.

 

rgds

Erik

ACMX#1245, ACDX#968, ACCP, ACSP
Highlighted
Frequent Contributor I

Re: External Captive Portal with public controller certificate

Need to correct above. The provided "wildcard" certificate actually wasn't a wildcard certificate but a certificate with domain as CN and 2 different *.domain in the SAN field. 

 

So instead of using captive-portal.domain I had to use domain in the NAS fields

ACMX#1245, ACDX#968, ACCP, ACSP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: