Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Wireless Controller and Commercial Wildcard Certificates

This thread has been viewed 3 times

  • 1.  Wireless Controller and Commercial Wildcard Certificates

    Posted May 02, 2014 04:22 PM

    Hey,

     

    I am finally getting around to looking at the certificates loaded on the our Aruba 3200 Controller. It is running the default one that comes loaded out of the box.

     

    I'd like to correct a certificate error our guest users get after they auth. against our captive portal.

    We have the option to pop up the logout window enabled which opens a small window with a URL that points directly to our controller (https://aruba-master.<our domain>.com/cgi-bin/login)

     

    Do the Aruba controllers work okay with wildcard certificates?

    And I want to confirm whether or not I should be loading the certificate chain for our commerical wildcard cert or not (if they are supported)?

     

    found this post which seems to suggest we might have issues with a wildcard cert on the controller as well.

     

    I guess we can always just disable the pop up as well since most browsers block pop ups by default anyway.

     

    Thank you,

     

    Cheers


    #3200


  • 2.  RE: Wireless Controller and Commercial Wildcard Certificates

    EMPLOYEE
    Posted May 02, 2014 04:57 PM

    Your controller will work fine with a wildcard certificate IF you are NOT using it for EAP Termination.  If you have an external radius server and that has a server certificate, you should have no issues putting a wildcard server certificate on your Aruba controller.

     

    What will change is that since your Captive Portal does not have a hostname, it has a *, the controller redirect will look like "https://captiveportal-login.domain.com".  So that means if you develop a custom page for Captive Portal  in the controller or ClearPass, you will need to reference the controller using captiveportal-login.domain.com.  You can sidestep this by installing a server certificate with a "real" fqdn, instead of a wildcard certificate.



  • 3.  RE: Wireless Controller and Commercial Wildcard Certificates

    Posted May 05, 2014 04:47 PM

    Hey,

     

    Sorry for my late reply.

     

    Thank you cjoseph for the explanation.

     

    We are currently not using the Controller for EAP Termination.

    The EAP Termination is being handled by our CPPM.

     

    I think I understand your second comment.

    It brings some questions to mind about where certain information is pulled from while a guest user is logging in. I might have to do some testing to make sure I understand it fully.

     

    I apologize I do not have more knowledge.

     

    Now that I know some of the pitfalls to using a wildcard cert on the controller we can start to plan a little better and of course test everything!

     

    Thank you once again cjoesph for your knowledge!