Security

Reply
Highlighted

Problems with captive portal and certificate when redirecting to controller

Hello

I got the fallowing scenario

1 Clearpass

2 Controllers  -master stand by central site

 

10 local controllers on remote sites ( one controller in each site) for example site A one controller Site B the other controller  etc

 

1 DMZ  controller in the central site, which is a master controller and its alone.

 

All the local controllers are doing a GRE tunnel to the VRRP IP on the central site  and passing the guest vlan that just exist in the controllers, then on the central site there is a GRE tunnel to the DMZ  that does the same pass only the guest vlan,

 

I got in clearpass a public certificate

 

I got on Master and stand by controllers public certificates

I got a public certificate on local controllers as well

I don tthink do have them on the DMZ controller because i dont authenticate there or anything i just use it to terminate the tunnel from the master controller

 

Now for the public certificate on the controllers im using the same one.   i did a request on an old clearpass which i can retrive the private key, and put the private key, the cert that is signed and the root ca  on a .pem and uploaded it to everycontroller.

 

The scenario:

 

The user log in the network

The user  if he goes to an http page he doesnt get an error of certificate and get the captive portal.  If the user goes to an https page he gets a error but he can continue

 

the user fill up the info  and request for the access

The IT get the email  and they give them access, and it get redirected to the controller, and sometimes they get a public certificate error specially on MACs, again, and you have to click again to continue.   This confuses the end users and they dont know what to do

Why this is happening or how can i prevent this from happening?

Anyone has any idea what could be wrong in my config or the way i did it?

 

Cheers

Carlos

----------------------------------------------------
Project engineer
Highlighted
MVP Expert

Re: Problems with captive portal and certificate when redirecting to controller

What is the third party CA for the cert ?

Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted

Re: Problems with captive portal and certificate when redirecting to controller

Hello Victor

Its Digicert

----------------------------------------------------
Project engineer
Highlighted
MVP Expert

Re: Problems with captive portal and certificate when redirecting to controller

Please try to chaining the controller cert like this :

2020-02-13 15_43_23-How to Create a .pem File for SSL Certificate Installations.png

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

 

And also whitelist digicert OCSP under the L3 Guest Captive Portal Authentication Profile

netdestination ocsp-digicert-dest
name ta2.symcb.com
name tb2.symcb.com
name tc2.symcb.com
name td2.symcb.com
name te2.symcb.com
name tf2.symcb.com
name tg2.symcb.com
name th2.symcb.com
name ti2.symcb.com
name tj2.symcb.com
name tk2.symcb.com
name tl2.symcb.com
name ta.symcd.com
name tb.symcd.com
name tc.symcd.com
name td.symcd.com
name te.symcd.com
name tf.symcd.com
name tg.symcd.com
name th.symcd.com
name ti.symcd.com
name tj.symcd.com
name tk.symcd.com
name tl.symcd.com
name tm.symcd.com
name tn.symcd.com
name to.symcd.com

or

netdestination ocsp-digicert-dest
name *.symcb.com

https://knowledge.digicert.com/solution/SO28927.html#Download 

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA

Re: Problems with captive portal and certificate when redirecting to controller

Thank you Victor

Let me try this!

 

Cheers

Carlos

----------------------------------------------------
Project engineer
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: