Security

Hi

I inherited a network which has a virtual controller and two different antenas, by clarifying this, I mean that I really have no idea which model the access points are.

The problem is regarding the guest network.

Whenever I connect to the network, and get routed to the guest portal, it says that the page cannot be found, if I try to browse any other website I get a certificate error and no option to continue to the sites.

Im guessing this has something to do with HTTPS redirection but cannot find the clue.

Here are some screens of the configuration.

Hi,

Are you using IAP for this?

and did you see is the AP is provision properly?

Hi, thanks for answering

I don't know what IAP is.

Additionally, the AP is working fine if that is what you mean

Sorry, any thoughts?

We need to make sure IAP have valid CA signed certificate, generally see https errors during redirection if IAP does not have valid certificate.

Hi, ok so you are saying the only way to get the captive portal working is to install a CA Certificate for the HTTPS protocol and there is no way to bypass that?

By IAP you mean an access point that's not controlled by a controller? Mine are controlled by a controller

Can you provide me a link with instructions on how to do that?

Thank you so much!

For captive-portal to work your controller need an IP address for the VLAN that is bound to the SSID of the captive portal.

For example;

When SSID Guest make use of the VLAN 10, then VLAN 10 need an IP address on the controller or both controllers to reach out the captive-portal. The connection between this IP and the captive-portal IP must be whitelisted in your firewall.

Otherthings to check:

• Be sure which initial user-role will be used and if its re-direct to the captive portal URL (you say the re-direct happens but with a 404 error, so most possible this works correctly and you missing the IP settings as mentioned before). The initial role could be "guest-logon role" or something else you configured.
•  Be sure you installed a captiveportal certificate on the controller that is exepted by the captive-portal page after submitting the POST-forum on the captive portal. (if the certificate is incorrect the captive-portal keep bouncing around when click the forum POST). Not to be confused with the HTTPS certificate of the captive-portal itself (installed on the captive-portal page (possible Aruba ClearPass) thats used for the clients <> captiveportal encryption.

About the certificates:

• Install a HTTPS certificated on the captive-portal page (possible ClearPass) from a public CA like COMODO. A Public certificated is need so a guest client can validated the HTTPS certificate against his certficate trust store.
• Install a webserver certificated from a own PKI private CA (or public CA) on the controller. The common name (DNS) of the certificate, for example controller.organisation.com, must be configured at the captive-portal configuration as the exepted DNS entry the controller will send back to the captive-portal after a POST. And offcourse the Captive-Portal needs the PKI CA (or public CA) root and intermediate certificated to trust the webserver certficate that is send form controller back to the captive-portal. 

Hello mkk thanks for answering!

So you are basically saying my AP Management IP has to be on the same subnet of the guest clients? That is weird.

About the certificates, you are saying there are two different ones right?

I still don't get the difference between the two you mentioned.

As far as I know, there's only one type of certificate to secure HTTPS browsing and server trust...

Maybe you are referring to server certificate and machine certificate?

What is Aruba ClearPass?

Is there a link or tutorial you can provide me with theortical explanations of the certificates and step by step guide?

Thank you!

Hi Erudes,

Ok, i understood now you use the internal captive-portal of the controller.

In that case you need only one https websever certificate on the controller signed by a public CA.

The guest VLAN need a IP address on each managed device to hit Captive Portal, offcourse the user-role ACL need a rule that deny trafiic from the user to the controller IP address.

Aruba ClearPass is an advanced (external) authentication server that can do RADIUS,TACACS,MAC-AUTH and more. ClearPass have a advanced captive-portal with a lot of nice features.

But in your case, how to setup a captive-portal on the internal controllers is documented in the ArubaOS8 User guide, link.

In the attachment i create some screenshots for you how i quickly configure captive-portal.

Hope this help you!

Attachment(s)

ARUBAOS8 - Captive Portal Internal Controller.pdf   1.20 MB 1 version

Hey again mkk,

So let me see if I have this straight.

It is a fact that I need a server certificate for the captive portal that will have to be installed on the controller.

Can I generate a self signed one through a CA on a domain? or through a Linux machine and use it?

The network scenario is Wifi_Guest SSID is VLAN ID 500, subnet 192.168.2.X /24. Management VLAN Controller 900, Subnet of 10.8.15.X /24. You are saying that with this configuration on the network, guest clients will never hit the captive portal even WITH the certificate installed on the controller?

Hi Erudes,

Just give VLAN ID 500 an IP interface on each MD so the captive portal is reachable. Without the portal will not show up at all.

When using a self-signed certificate or from your own PKI CA (aka your own domain or CA server) the guest client do not have the CA root (and or intermediate) certificates in his trust store of the browser, therefor a client cannot trust the captive-portal https webserver certificate. Sure it will work but guest clients will always annoying see a certificate error when reaching the portal, and it's not secure at all and it give a bad user experience.

Thats why a webserver certificate from a public CA is strongly recommended, because the root certificates are default present on the client devices. And therefore they dont see a certificate error when reaching the captive-portal page.

In the captive-portal profile your can even disable https at all, but this is not recommended offcourse.

If you run a demo enviorment you can use a free certificate from "lets encrypt" https://www.sslforfree.com/. Else buy a simple SSL certificate from COMODO or other good provider, its not expensive.

The default URL is captiveportal-login.domain.com

See also this older thread: 

https://community.arubanetworks.com/t5/Wireless-Access/How-to-configure-an-IP-to-the-name-captiveportal-login-mysite/td-p/236717

I understood about the importance of a valid certificate however, its not clear if it is completely needed as you also say we can disable HTTPS for the portal on the controller, is this correct?

SSL For Free certificates are valid for guest clients? are they recognized on the client devices?

On the other hand, I still don't understand why the AP has to have an IP address on the Guest Subnet, I've used other brands before and this has never been like that, the AP has an IP that belongs to the Management VLAN not the Guest VLAN final IPs

Yes you can disable HTTPS in de captive-portal profile.

Yes 'lets encrypt' / sslforfree certificates are trusted by guest clients but are valid for 90days (manually extension is possible).

Far as i known is the IP address is needed to hit the role/acl to do the DNS re-direction, if you know another method let my known. A deny ACL role can be set in the role (there is some by default but not for ping) so a user cant contact the controllers. looks like "src:user dest:controller-ip deny all".

How do I disable HTTPS just to test the captive portal works, then put the password and guest client can surf the web? I cannot find it on my controller here.

See screenshot please:

I think I dont have those options on my controller... don't know model...

See screenshots attached please:

@harendra

Any ideas on this? Looks like my controller does not have the option you mention :(

Sorry, I inherited the network and it's logical Im kind of lost at the point I dont know how to check the controller version, ha

Follow this integration Guide

HowTo Guide on Configuring Aruba Wireless with ClearPass as an authentication source for a dot1x enabled secure SSID and also with basic guest registration enabled for a guest SSID.

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33311