Security

Reply
Regular Contributor II

Guest cert redirect issues

We have an issue everytime that we update our certs (ClearPass Guest and Aruba Controller). The issue is we up load the cert (HTTPS) on ClearPass then we have to take the PFX cert file (convert it to PEM for Controller). The controller cert is put in the order of root->intermediate->server-.private key. TAC has even tried it server->intermediate->root->private key. No matter what way some devices when redirected from the captive portal to controller then to our company's website, some users have not issues. Other users either never sees the captive portal page or get a certifacte error (the one from controller). The users that have iOS, Android, MacOS and Windows 10. Browsers range from Safari, Firefox, Chrome, Edge and Internet Explorer. It makes it hard to troubleshoot because it works for one devices and another will not work (the devices are the same and same version of OS).

 

I made sure that the controller has Bypass Apple Captive Network Assistant enabled. HTTPS authenication is set. Controllers are 7210 running 6.5.4.14.

 

TAC thinks it is the cert. We get our certs from GeoTrust-RSA-CA-2018 (DigiCert-Global-Root-CA). The certs for HTTPS and RADIUS on ClearPass our issued by the same, they work fine. Just the one for the rediect.

 

Any ideas?

Highlighted
MVP Expert

Re: Guest cert redirect issues

Do you have the OCSP for digicert whitelisted in the L3 captive portal profile ?



Thank you

Victor Fabian

Pardon typos sent from Mobile
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Regular Contributor II

Re: Guest cert redirect issues

Enable OCSP Repsonder is disabled. If I enable OCSP, the drop down is blank with no options. In the Revocation CheckPoints section it has DigiCert listed. Do I just have to enable OCSP and since the DigiCert is listed in Revocation section then I don't have to do anything with the drop down?

Regular Contributor II

Re: Guest cert redirect issues

Victor,

When you helped us setup this up, you uploaded the Digicert as a TrustedCA. We also uploaded the intermediate cert as a TrustedCA. Should I re-upload the Digicert as a OCSPResponderCert and then enable OCSP Responder then choose the Digicert from the drop down?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: