Security

Hi:

If I load a valid public certificate on a controller, will it intercept DNS request for that address and return its own IP?

(or does it only do that for securelogin.arubanetworks.com?)

I'm trying to setup a Clearpass captive portal.

The user redirects properly to a Clearpass login page.

In the Clearpass Guest login page setup I set the posting address to the name of the certificate on the controller.

On the controller, that public certificate is set as the Captive Portal Certificate.

But when logging in, the user gets a DNS failure message.

I'm guessing I could put an entry in my local DNS server for the controllers' name, but I'd rather avoid that if I can.

Should the controller intercept this, or is there something else I need to do?

Thanks.

The controller will answer for the FQDN defined as the common name of the captive portal certificate. Do not create an entry in DNS.

The controller will always intercept DNS requests for the fqdn on the controller's web server certificate.   If you haven't please take a look at the document here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-does-Aruba-Controller-work-with-wild-card-certificate-for/ta-p/203199

The question is, have you uploaded the certificate on the controller and selected that for use in the Captive Portal?

Configuration> Management> General> Captive Portal Certificate.

You would use the "show datapath fqdn" command to confirm what the fqdn of the controller is:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-know-the-common-name-of-the-certificate-that-is-mapped-in/ta-p/290920

Thank you, both Tim and Colin.

"show datapath fqdn" is a great command to know about!

Even though the GUI showed the new, correct certificate for Captive Portal, 'show datapath fqdn' output showed securelogin.arubanetworks.com.

I set the Captive Portal Certificate to default, hit apply, then set it back to the new cert, and hit apply.

Now the CLI command shows the name of the new name, and the user authenticates correctly.

Thanks.

Hi Zeke,

I had the exact same problem 

"Even though the GUI showed the new, correct certificate for Captive Portal, 'show datapath fqdn' output showed securelogin.arubanetworks.com."

"I set the Captive Portal Certificate to default, hit apply, then set it back to the new cert, and hit apply.

Now the CLI command shows the name of the new name, and the user authenticates correctly."

Even after i have reapplied at the GUI a week later it dropped off again.Which meant I had to repeat the process

This is extremely frustrating.

Paul

Hi Paul,

did you get this resolved? What version are you using?

Looks like I encountered the same issue on the project I'm on now. AOS 8.5.0.3

thanks for letting me know,

edit: I have to use a wildcard certificate on the controller but captiveportal-login.domain is no longer resolved to the controller either.

Erik

just found out.It's no longer captiveportal-login.domain but just domain in 8.5.0.3; maybe in earlier versions too.

rgds

Erik

Need to correct above. The provided "wildcard" certificate actually wasn't a wildcard certificate but a certificate with domain as CN and 2 different *.domain in the SAN field. 

So instead of using captive-portal.domain I had to use domain in the NAS fields