Security

I am sure this must be covered by someone by now, but I haven't found anything to this specific issue as of yet.

I have a guest captive portal setup on clearpass guest. I am using A Master/Local setup at my datacenter using 7210/7240 running 6.5.0.3

When connecting to the guest SSID, users are redirected to the web login page that is covered by a wildcard company cert. Upon clicking login it looks like they are directed to the controller using securelogin.arubanetworks.com certificate.

The devices show that this is an unknown authority. How can this be solved? This is guest, so I am not able to push out the cert to trust it as I don't own the devices.

Without having read through the post you linked yet, can it be a wildcard for this case? I do have a wildcard that I'm using on the clearpass server, I can put that on the controller.

And this leads the follow up question. I was of the understanding that if I change the "securelogin" address on the weblogin page, it will be controller specific and I'll need a new page for each controller, is that accurate?

Unfortunately I am unable to access the cert 101 document as I do not have an account on support.arubanetwork, they required me to have an account on the hpe website instead. 

You can use a wildcard certificate for the controller

You should NOT reuse the one that is already on the clearpass server.  Why?  Because the controller actively intercepts dns traffic  "captiveportal-login.wildcarddomain.com" and redirects it to the controller.  It must be kept separate.

If you use a wildcard certificate on the controller, please see the article here:  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-configure-ClearPass-Guest-Amigopod-web-login-when-using/ta-p/176438 on how to configure ClearPass to support it.

You have to purchase a captive portal certificate for the controller as well as clearpass, if you don't want the "unknown authority" message.  

The Aruba Controller used to come with a valid certificate issued by geotrust.  That certificate has been compromised and revoked by geotrust, so it is not provided any longer.  https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

  As of 6.5.0.1, the controller now comes with a self-signed certificate that nobody trusts, because, it is self-signed.  Users must, just like every other platform, purchase a public certificate so that users connecting to their captive portal do not get the "unknown authority" message.  Please also see the certificates 101 document on the ClearPass documentation Site here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_ViewDetails/Default.aspx?EntryId=13734