Wireless Access

We have an issue with our guest network. Normally when a guest joins this network & attempt to access a website they are automatically directed to a company web page requesting a login in order to access internet. Once the guest password is entered access is permitted. However when using chrome (which is most of our guests) there are always certificate errors & users trying to access the guest network never get to the login page & ultimately do not get internet access. Even when I try to manually access the web page on chrome I get a certificate error. There are no issues on other browsers except for chrome.

 

My hunch is that this is a Chrome issue? If so does anyone know what specifically is the cause & what can be done to fix the issue?

What kind of https server certificate do you use? signed by a public PKI?

Dont use certs with greenbar extenstion.

 

see also https://community.arubanetworks.com/t5/Wireless-Access/HELP-Certificate-error-after-clearpass-guest-captive-portal/td-p/293432/page/2

 

Why do you say that? EV certs are absolutely recommended for HTTPS.

Oops... I mixed up the https and radius certifcate requirement, my bad.

thx for your attention Tim.

 

NOTE: Both certificates with a wild card as the common name and Extended Validation certificates are not recommended for use as the RADIUS/EAP server certificate. Some clients may be unable to authenticate when these types of certificates are used.

I am new to SSL certificates. The issuer is Geo Trust which I found online but the users get directed to "captiveportal-login.companyname.com" I assume its a Public Cert. Can I ask why that matters, how to figure that out for sure & how knowing this will fix the issue?

---

 

possible you need to replace the public https certificate due some changes in the CA's support by Chrome. GeoTrust is on that list, but it depends on when your certificate is created.

 

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=ALERT2562&actp=LIST&viewlocale=en_US

 

You can also test this for your certificate here:

https://www.websecurity.symantec.com/support/ssl-checker

 

Ok so I checked my domain name that is associated with the ssl certificate from Geo Trust on the symantic ssl checker you shared with me & see that it recommends replacing my SSL certificate by September of this year or I will start getting Chrome errors. I guess its safe to assume renewing the certificate is the fix for this issue users are experiencing on my guest network? If so why is Chrome giving users these errors now when they attempt to get to the captive portal log in page? Its not September yet.

Cant explain that part:) But if you have to replace it for September  so you can do that maybe a litlle early. You maybe can check if the signed GeoTrust CA and intermediate CA's are in the managed certificate store into Chrome settings.

 

If you access the webpage manually in chrome do you get te same error right ?

Hello,

 

Generally, if you want to avoid some certificate issue, you should allow your client to access the ocsp url defined in the certificate.

 

The reason is that your client, when seeing a certificate with an ocsp url included, will try to contact that url to check if the certificate is revocated.

 

If the url is unreachable more and more browser will display a certificate issue.

 

Cheers,

 

Julien

Chrome actually does not use OCSP anymore. The URLs do not need to be whitelisted.

Good to know. If they dont use OCSP anymore I wonder why the url is still in the cert?

 

 

 

 

The contents of the certificate doesn’t really have anything to do with browser behavior.