Security

I've had a CPPM Guest configuration for a few months.  Today I saw a new iPhone X that receives this message when trying to connect:

Other iOS devices seem fine.  I can't immediately reproduce it, but it's consistent.  Ideas?

Ensure both the ClearPass and controller certificates are properly chained.

The CPPM HTTPS Server Certificate is from a public CA, and botht he intermediate and root certs are installed. What controller cert are you referring to?  The only cert I'm aware of on the controller is used for the https management interface.  

 

The initial page itself validated just fine in the Apple CNA (and every other browser / device I've tested).  We have a checkbox to accept terms, and a submit button.  Pressing that submit button generates the error message I previously included.  

 

My understanding was that this form gets posted to "securelogin.arubanetworks.com" by default, per the "Address" field in the CPPM Guest Web Login configuration.  

Your controller needs a publicly CA-signed captive portal certificate.

Sorry, should have mentioned - the authentcation is sent over HTTP.  Since it's all anonymous access this was an acceptable solution.

That’s exactly what the error is then. It is poor security practice to submit a form over HTTP, regardless of the contents. Apple is very strict on security.

I suppose that's possible.  It's strange that it's only happening on one device so far.  Even other IOS devices on the same version are unaffected.

 

Still, HTTPS is best practice.  If I was going to use the wildcard method described here:  https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Web-Login-NAS-Address-configuration-options-in-single-and-multi/ta-p/275426 

 

I understand how to create the certificate, and what URL I should use, but where do I install it in the controllers?  I would guess it's installed at the managed devices node of mobility master as a "ServerCert" ?  There's no obvious way to associate a particular certificate with captive portal usage that I see.

You need one, single name certificate for all your controllers. A wildcard is not recommended. You can upload the certificate and set it as captive portal at the highest point in your hierarchy and it will apply to all nodes below it.

In ClearPass, you change the web login config to match the CN of the cert (network-login.yourdomain.com for example).

There doesn't appear to be a captive portal certificate option:  

It’s a server certificate.

why is a wildcard not recommended? I recall when the secure-login cert was revoked and replaced with a self signed cert, there were a few articles suggesting using a wildcard that would get replaced with captiveportal-login.domain.com was a good approach.


#AirheadsMobile

Wildcards should be avoided in any scenario as there is a much higher risk for key exposure. Also, for this use case, you’re likely to spend 25x more on a wildcard than a standard, single name certificate which is all that’s required for captive portal.

I'm not sure how other CAs do it, but Digicert allows separate private keys for each instance of the wildcard cert.  Every time I use it, it's a new key pair.  It's also not 25x the cost, maybe 2x.  Plus I can add new Subject Alternate Names each time, so I can ensure the SANs match the hostname, which is good enough for every browser I've tested.  The only one that throws this error is that iPhone X.

A standard single name certificate is $4.99/yr. A basic wildcard cert $74.88/yr (that doesn’t offer multiple keys). So around 6x the cost (yes I exaggerated).

Bottom line, you should avoid wildcard certs at all costs. The added risks are too high.

why is a wildcard not recommended? I recall when the secure-login cert was revoked and replaced with a self signed cert, there were a few articles suggesting using a wildcard that would get replaced with captiveportal-login.domain.com was a good approach.


#AirheadsMobile