Wireless Access

We have a guest captive portal setup on our Guest SSID and the URL is HTTPS using a valid Go Daddy Cert but the problem we are facing is that when a user tries to connect to the Guest SSID and accept the captive portal they are presented with a Web page that says the Certificate is invalid,  basically a false positive man in the middle attack.  How have people been dealing with this?

 

 

Upload a captive portal certificate in the controller, and in the enter this dns entry in your captive portal settings on clearpass.

It dont need to be a resolvable dns name, just to check the certificate after a success authentication with the controller.

The default securelogin.arubanetworks.com is not working anymore.

When uploading the certificate to the controller / IAP cluster the certificate should include the private key and the keychain. You can combine everything in one PEM file with the following structure.

 

----- BEGIN CERTIFICATE -----

SERVER CERTIFICATE

----- END CERTIFICATE -----

----- BEGIN CERTIFICATE -----

INTERMEDIATE CERTIFICATE

----- END CERTIFICATE -----

----- BEGIN CERTIFICATE -----

ROOT CERTIFICATE

----- END CERTIFICATE -----

----- BEGIN RSA PRIVATE KEY -----

PRIVATE KEY

----- END RSA PRIVATE KEY -----

 

Also, you shouldn't forget to change the default callback address securelogin.arubanetworks.com in the WebLogin of Self-Service page on ClearPass. For example, when you upload the named certificate webauth.example.com to the controller the callback address should also be webauth.example.com. When you upload a wildcard certificate (*.example.com) to the controller, the callback address should be captiveportal-login.example.com.

You should never include the root certificate in the chain.

I think everyone is miss understanding what I am saying.  Right now we have Clearpass Guest running with HTTPS.  The problem is when people connect to the Guest SSID, they either have their defsult Home page or the last URL the web browser went to may have been to an SSL (HTTPS) site.  The client connects to the SSID but when they attempt to browse to a URL, if it is a HTTP site , there is no issue they get issued the splash page of the guest captive portal.  IF they attempted to go to an HTTPS (SSL) page they get presented and challenged with a web browser problem saying the certificate is invalid because it is acting like a man in the middle attack.

 

 

Like one of the other guys suggested , you need to replace the certificate used for the captive portal on your controllers
Check if the cert expired and update it, it is recommended that you use a cert from a 3rd well known CA (GoDaddy , digicert, etc..) yo name a few





Thank you

Victor Fabian

Pardon typos sent from Mobile

OK! Understand you better now. You mean that the first website that is https before you get re-direct to the clearpass captiveportal.

 

Normally captiveportal will automatic pop-up when connect to the guest ssid. But when you ignore that and try to browse to a website https://community.arubanetworks.com for example you get a man-in-the-middle error because the website is re-directed to the clearpass captiveportal.

 

This is in my eyes a normall behavior, because its re-directed.

 

Example in my HomeLAB:

You can't redirect HTTPS traffic (unless you control the server). See here for why that is.

 

There is simply no way to fix this and probably best is to just block (or allow through) HTTPS traffic in your logon role. As Tim said, the captive network assistant should kick in, if it doesn't you will need to fix that.

Ah okay, different problem. If the captive portal pop-up doesn’t start automatically you can see this as a by-design issue. As far as I know there is no way to prevent this.

yes correct ... I know it is doing wha it is supposed to by design but what I am asking is,  is there any way to prevent this from happening?  Does the clearpass guest captive portal have to be HTTPS or can it be HTTP.   We are not passing any sebnsitive credentials via the captive portal.  

One of the disadvantages of a captive portal is that the "in air" traffic is not encrypted by AES but non encrypted data. This data can be easly captured from the air without even connect to your wireless network. 

 

For that reason i would not recommend to use captiveportal without https encryption. But yes offcourse it is possible.

The OS’s captive portal detection should always fire. If it’s not, you’re whitelisting too many domains in the pre-auth role.

Have you uploaded the certificate to Clearpass --> Adminstration --> Certificates --> HTTPS certificate?