Wireless Access

Reply
Occasional Contributor I

Android Captive Portal Not Trusted using CNA

We were using a 3rd part to host our login pages. We set it up to use their certificate and all seemed to be fine. We are no longer using them and have reverted back to our login pages from about 2 years ago, which is hosted in AWS. Back then, these were using the Aruba controller default cert. I know this cert will not work anymore, so I am trying to get our own cert to work. I am testing in lab with our certificate, but keep getting trust errors with newer android devices, specifically when we test with the devices CNA. The automatic pop up login page throws error. I strongly feel controller config is correct and something in login page is not. If I open chrome, and try to go to a nonsecure site, I get redirected to login page. without any problem. This issue only occurs with the pop up login page. I can reproduce this error with a Galaxy S8 running 7.0, and a Galaxy J7 running 8.0. I have another android, HTC on 5.0, that has no problem when I test with CNA. The pop up login page on iPhone works fine too. Any ideas?

Guru Elite

Re: Android Captive Portal Not Trusted using CNA

The captive portal has a valid public CA-signed certificate that is chained properly?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Android Captive Portal Not Trusted using CNA

Well, that is a good question. TAC chained the cert that would be used for our production and I had some doubts if it was done correctly. Later I chained a different cert the same way for our lab.

 

It seems to work redirecting to login page with a browser, so I assumed it is correct. Maybe it is not though.

Occasional Contributor I

Re: Android Captive Portal Not Trusted using CNA

My level 2 engineer says cert is chained correctly. Hmm.

Guru Elite

Re: Android Captive Portal Not Trusted using CNA

Who issued the Certificate?  What is the URL when you get the error?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Occasional Contributor I

Re: Android Captive Portal Not Trusted using CNA

Issued by Entrust. Test login page is:

https://aem-qa.shopwatertower.com/en/wifi.html

It loads without error using chrome browser. I get error using CNA.

IMG_3235.JPG

 

Guru Elite

Re: Android Captive Portal Not Trusted using CNA

You mentioned that TAC chained the certificate.  You should continue to work with them, honestly.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Guru Elite

Re: Android Captive Portal Not Trusted using CNA

The cert is not chained correctly. You should only have the leaf cert + Entrust Certification Authority - L1K on the server.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor I

Re: Android Captive Portal Not Trusted using CNA


@cappalli wrote:
The cert is not chained correctly. You should only have the leaf cert + Entrust Certification Authority - L1K on the server.

Thanks for everyones help. I am trying to chain cert like you said, and different ways too, but it will not upload without including root CA and both Sub CA. I get "public key did not match the private key in CSR store"

Occasional Contributor I

Re: Android Captive Portal Not Trusted using CNA

I firgured out what mistake i was makeing earlier and was able to import the cert chained in different ways. I tried leaf with one intermediate, with both intermediates, then added root. The automatic login page that popped up threw the cert error each time. 

 

I then started to look at my device. I went into settings and found the list of trusted CA. I was able to find Entrust root, and G2 listed there with the exact same name as to what my login page uses, but they have different serial numbers, different validity dates, etc. Could that be my issue? Is it just that the CNA is not smart enough to see my cert is valid?

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: