Security

Reply
Contributor I

External Captive Portal with public controller certificate

Hi:

If I load a valid public certificate on a controller, will it intercept DNS request for that address and return its own IP?

(or does it only do that for securelogin.arubanetworks.com?)

 

I'm trying to setup a Clearpass captive portal.

The user redirects properly to a Clearpass login page.

In the Clearpass Guest login page setup I set the posting address to the name of the certificate on the controller.

On the controller, that public certificate is set as the Captive Portal Certificate.

 

But when logging in, the user gets a DNS failure message.

 

I'm guessing I could put an entry in my local DNS server for the controllers' name, but I'd rather avoid that if I can.

 

Should the controller intercept this, or is there something else I need to do?

 

Thanks.

 

Guru Elite

Re: External Captive Portal with public controller certificate

The controller will answer for the FQDN defined as the common name of the captive portal certificate. Do not create an entry in DNS.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Guru Elite

Re: External Captive Portal with public controller certificate

The controller will always intercept DNS requests for the fqdn on the controller's web server certificate.   If you haven't please take a look at the document here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

 

The question is, have you uploaded the certificate on the controller and selected that for use in the Captive Portal?

 

Configuration> Management> General> Captive Portal Certificate.

 

You would use the "show datapath fqdn" command to confirm what the fqdn of the controller is:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-know-the-common-name-of-the-certificate-that-is-mapped-in/ta-p/290920


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Contributor I

Re: External Captive Portal with public controller certificate

Thank you, both Tim and Colin.

"show datapath fqdn" is a great command to know about!

 

Even though the GUI showed the new, correct certificate for Captive Portal, 'show datapath fqdn' output showed securelogin.arubanetworks.com.

 

I set the Captive Portal Certificate to default, hit apply, then set it back to the new cert, and hit apply.

Now the CLI command shows the name of the new name, and the user authenticates correctly.

 

Thanks.

Occasional Contributor I

Re: External Captive Portal with public controller certificate

Hi Zeke,

I had the exact same problem 

"Even though the GUI showed the new, correct certificate for Captive Portal, 'show datapath fqdn' output showed securelogin.arubanetworks.com."

"I set the Captive Portal Certificate to default, hit apply, then set it back to the new cert, and hit apply.

Now the CLI command shows the name of the new name, and the user authenticates correctly."

 

Even after i have reapplied at the GUI a week later it dropped off again.Which meant I had to repeat the process

This is extremely frustrating.

Paul

 

Highlighted
Frequent Contributor I

Re: External Captive Portal with public controller certificate

Hi Paul,

 

did you get this resolved? What version are you using?

 

Looks like I encountered the same issue on the project I'm on now. AOS 8.5.0.3

 

thanks for letting me know,

 

edit: I have to use a wildcard certificate on the controller but captiveportal-login.domain is no longer resolved to the controller either.

 

Erik

ACMX#1245, ACDX#968, ACCP, ACSP
Frequent Contributor I

Re: External Captive Portal with public controller certificate

just found out.It's no longer captiveportal-login.domain but just domain in 8.5.0.3; maybe in earlier versions too.

 

rgds

Erik

ACMX#1245, ACDX#968, ACCP, ACSP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: