Security

Reply
Contributor II

iOS: This form is not secure, CPPM Guest

I've had a CPPM Guest configuration for a few months.  Today I saw a new iPhone X that receives this message when trying to connect:insecureform.PNG

Other iOS devices seem fine.  I can't immediately reproduce it, but it's consistent.  Ideas?

Guru Elite

Re: iOS: This form is not secure, CPPM Guest

Ensure both the ClearPass and controller certificates are properly chained.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: iOS: This form is not secure, CPPM Guest

The CPPM HTTPS Server Certificate is from a public CA, and botht he intermediate and root certs are installed. What controller cert are you referring to?  The only cert I'm aware of on the controller is used for the https management interface.  

 

The initial page itself validated just fine in the Apple CNA (and every other browser / device I've tested).  We have a checkbox to accept terms, and a submit button.  Pressing that submit button generates the error message I previously included.  

 

My understanding was that this form gets posted to "securelogin.arubanetworks.com" by default, per the "Address" field in the CPPM Guest Web Login configuration.  

Guru Elite

Re: iOS: This form is not secure, CPPM Guest

Your controller needs a publicly CA-signed captive portal certificate.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: iOS: This form is not secure, CPPM Guest

Sorry, should have mentioned - the authentcation is sent over HTTP.  Since it's all anonymous access this was an acceptable solution.httplogin.PNG

Guru Elite

Re: iOS: This form is not secure, CPPM Guest

That’s exactly what the error is then. It is poor security practice to submit a form over HTTP, regardless of the contents. Apple is very strict on security.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: iOS: This form is not secure, CPPM Guest

I suppose that's possible.  It's strange that it's only happening on one device so far.  Even other IOS devices on the same version are unaffected.

 

Still, HTTPS is best practice.  If I was going to use the wildcard method described here:  https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Web-Login-NAS-Address-configuration-options-in-single-and-multi/ta-p/275426 

 

I understand how to create the certificate, and what URL I should use, but where do I install it in the controllers?  I would guess it's installed at the managed devices node of mobility master as a "ServerCert" ?  There's no obvious way to associate a particular certificate with captive portal usage that I see.

Guru Elite

Re: iOS: This form is not secure, CPPM Guest

You need one, single name certificate for all your controllers. A wildcard is not recommended. You can upload the certificate and set it as captive portal at the highest point in your hierarchy and it will apply to all nodes below it.

In ClearPass, you change the web login config to match the CN of the cert (network-login.yourdomain.com for example).

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: iOS: This form is not secure, CPPM Guest

There doesn't appear to be a captive portal certificate option:  certtypes.png

Guru Elite

Re: iOS: This form is not secure, CPPM Guest

It’s a server certificate.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: