Wireless Access

We were using a 3rd part to host our login pages. We set it up to use their certificate and all seemed to be fine. We are no longer using them and have reverted back to our login pages from about 2 years ago, which is hosted in AWS. Back then, these were using the Aruba controller default cert. I know this cert will not work anymore, so I am trying to get our own cert to work. I am testing in lab with our certificate, but keep getting trust errors with newer android devices, specifically when we test with the devices CNA. The automatic pop up login page throws error. I strongly feel controller config is correct and something in login page is not. If I open chrome, and try to go to a nonsecure site, I get redirected to login page. without any problem. This issue only occurs with the pop up login page. I can reproduce this error with a Galaxy S8 running 7.0, and a Galaxy J7 running 8.0. I have another android, HTC on 5.0, that has no problem when I test with CNA. The pop up login page on iPhone works fine too. Any ideas?

The captive portal has a valid public CA-signed certificate that is chained properly?

Well, that is a good question. TAC chained the cert that would be used for our production and I had some doubts if it was done correctly. Later I chained a different cert the same way for our lab.

 

It seems to work redirecting to login page with a browser, so I assumed it is correct. Maybe it is not though.

My level 2 engineer says cert is chained correctly. Hmm.

Who issued the Certificate?  What is the URL when you get the error?

Issued by Entrust. Test login page is:

https://aem-qa.shopwatertower.com/en/wifi.html

It loads without error using chrome browser. I get error using CNA.

 

You mentioned that TAC chained the certificate.  You should continue to work with them, honestly.

The cert is not chained correctly. You should only have the leaf cert + Entrust Certification Authority - L1K on the server.

---

@cappalli wrote:
The cert is not chained correctly. You should only have the leaf cert + Entrust Certification Authority - L1K on the server.

---

Thanks for everyones help. I am trying to chain cert like you said, and different ways too, but it will not upload without including root CA and both Sub CA. I get "public key did not match the private key in CSR store"

I firgured out what mistake i was makeing earlier and was able to import the cert chained in different ways. I tried leaf with one intermediate, with both intermediates, then added root. The automatic login page that popped up threw the cert error each time. 

 

I then started to look at my device. I went into settings and found the list of trusted CA. I was able to find Entrust root, and G2 listed there with the exact same name as to what my login page uses, but they have different serial numbers, different validity dates, etc. Could that be my issue? Is it just that the CNA is not smart enough to see my cert is valid?