Security

We have a public Certificate and private certificate. 3

My CPPM install cert is 

Public Cert issue by CA. (HTTPS Server Cert)

Private Cert issue by AD. (Radius Server Cert)

My captive portal (Guest) use with Public Cert  but some user receive a private cert. 

My problem is not occuring to all user.

I don't sure what root cause of problem.I don't have idea to fix this.

Do you mean that some users are receiving during captive portal operations the RADIUS certificate? That is very unlikely.

Based on this information it is not really possible to help. To find the root cause you will need to find out which users under what circumstances receive exactly what certificate if they are doing what. Based on that info you can determine what device is presenting the certificate and if that is like it is designed or not.

What certificate did you install on your switch/AP/controller? Could it be that users see that certificate?

If you have screenshots of the certificate received with the URL they are trying to reach, that may help already.

I'd suggest that you work with someone who can interactively troubleshoot with you, like your Aruba partner or Aruba support.

Do you mean that some users are receiving during captive portal operations the RADIUS certificate? That is very unlikely.

Yes some user of captiveportal receive RADIUS Certificate. but correct is the HTTPS Cert.

Based on this information it is not really possible to help. To find the root cause you will need to find out which users under what circumstances receive exactly what certificate if they are doing what. Based on that info you can determine what device is presenting the certificate and if that is like it is designed or not.

I sure for designed is using HTTPS Cert in CPPM. 

What certificate did you install on your switch/AP/controller? Could it be that users see that certificate?

Radius certificate (Issue from Windows Server) install in controller and CPPM.

HTTPS ceritificate (Issue from CA) install in CPPM only at Certificate Store >  Server Certificate >  Type : HTTPS Server Certificate 

Ok, you should have a public trusted certificate installed to your controller, not a private or RADIUS certificate.

For Guest Captive Portal you need:

- Public trusted HTTPS certificate on ClearPass (may be wildcard)

- Public trusted HTTPS certificate on your controller/IAP configured for Captive portal (which may be a wildcard as well, in which case captiveportal-login.yourdomain will be the name to refer to; if you have a multi-SAN certificate, the first SAN will be used by the controller/IAP).

- The ClearPass and controller certificate should be issued on different names. If you use a multi-SAN or wildcard the same certificate can be used as long as it is addressed on different FQDNs for the ClearPass and the controller.

Fully separate from the guest use-case: For EAP authentication, you only need the EAP RADIUS certificate installed on ClearPass. In most cases having an internal/private CA certificate has the preference, and the same should be installed on all ClearPass servers that you have. Only reason to install an EAP certificate on a controller is when you use EAP Termination and that is deprecated as it is a corner-case feature that should be avoided in general.