Security

Hello

A couple years ago the securelogin.arubanetworks.com default certificate was revoked.   Customers were recommended to generate our own self signed cert or purchase a cert from a Certificate authority.  We purchased a cert and TAC helped me get it uploaded to our controllers.  Things have been working fine.  To my knowledget only folks who connected to captive portal pages on the aruba controller used securelogin......Then we heard about canary chrome and how legacy certs would not be trusted.  So we did some testing, downloaded Chorme canary and tried to register a device on the wifi.   We have found in testing that the canary browser doesn't trust securelogin.(ourdomainname)  I guess I'm confused.  Our captive portal pages for the bulk of our users are served up by clearpass.  How does securelogin come in to play?  We only loaded the securelogin certs on the controllers themselves.  We are on 6.5 ish code.   i understand how securelogin would come in to play if our captive portal was served up on the controller (minimal use case)  But in our scenario the captive portal page is on clearpass (most of our users). Does the system know that it was referred to clearpass from the controller and somehow know about securelogin as the "handoff" from the controller to clearpass? I'm trying to understand the urgency and if we must replace our certs on the controllers again and I'd like to get an idea of the communciations from the controller to clearpass as it relates to securelogin specifically and the certs?   

Thank you much!

Sarah

To oversimplify, the controller intercepts http/https traffic so the client must trust the https server certificate that is on the controller.  The controller then redirects the client to the ClearPass Captive Portal page and the client must trust that https server certificate as well.

If the client does not trust either certificate, the client browser will show an error and the process will be stopped.