Wireless Access

Reply
Highlighted
Frequent Contributor I

Captive portal and CPPM certificates

Quick question about how the certificates should be generated for use in a multi-controller + cppm cluster with external captive portal environment using a controller-initiated workflow. I want to make sure I understand exactly what needs to be used for the CNs, SANs and captive portal URL.

 

This would be for an aruba 8 environment with multiple controllers and a cppm cluster with publisher/subscriber.

 

VIP #1: Primary subscriber, secondary publisher

VIP #2: Primary publisher, secondary subscriber (for standby publisher)

 

Certificate 1 (For Controllers)(Publicly signed):

CN=wifi-login.domain.xyz

SAN=wifi-login.domain.xyz

 

This certificate would be uploaded to each controller to be used as the captive portal profile. This CN would NOT be registered in internal DNS. This needs to be publicy signed as it will be used for the URL redirection. The CN would be used as the NAS Vendor Settings Address/Hostname in the guest registration.

 

Certificate 2 (For CPPM cluster)(Publicly signed):

CN=wifi.domain.xyz

SAN=wifi.domain.xyz

SAN=cppm-pub.domain.xyz

SAN=cppm-sub.domain.xyz

SAN=cppm-vip-sub.domain.xyz

SAN=cppm-vip-pub.domain.xyz

 

This certificate would be uploaded in CPPM for RADIUS and HTTPS. The CN would be registered in DNS. This CN would resolve to VIP #1 in DNS.

 

Controller L3 Captive Portal settings:

URL: wifi.domain.xyz/guest/guest.php

 

Is this the correct way of doing it? I got some additional clarification today on what to do, but I want to be sure. Thanks!

Highlighted
Moderator

Re: Captive portal and CPPM certificates

Yes, correct



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor I

Re: Captive portal and CPPM certificates

Thank you so much for confirming this Tim. Much appreciated.

Highlighted
Frequent Contributor I

Re: Captive portal and CPPM certificates

Running into issues with Android devices specifically showing a certificate error on the redirect. I am using Entrust G2 root signed, L1K intermediate for my captive portal certificate. fqdn is resolving correctly.

 

TAC says that Android has issues with Entrust G2. Is there any truth to that? What would be the best way to start troubleshooting this issue?

 

I am not getting a cert error when going to the captive portal. It is only after the login and the redirect where I am getting that.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: