Wireless Access

last person joined: 22 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

IAP - Invalid certificate message when redirected to an external portal

This thread has been viewed 8 times

  • 1.  IAP - Invalid certificate message when redirected to an external portal

    Posted Aug 27, 2018 11:13 AM

    I am facing a situation where my users are receiving an invalid certificate message when they are redirected to an external portal through the WiFi Aruba Instant.
    Both the Clearpass external portal and Aruba Instant have a valid certificate.
    We use the IAP redirect rule for a page hosted on Clearpass based on the user's condition.
    If the user is authorized he authenticates and receives the ROLE AllowALL.

    p1.png

    If the user is NOT authorized he receives the ROLE Portal and it is redirected to the page hosted in Clearpass.

    p2.png

    The user receives the alert from the browser that the certificate instant.mydomain.com is not trusted.


    The instant.mydomain.com certificate has been issued by a public CA  and imported into the virtual controler, where I can test the validity of the certificate through the web administration itself.


    A curious fact that the user logged on the Aruba wifi resolves the name instant.mydomain.com to 172.31.98.1 and not to the IP setted on the DNS server.

     

    Has anyone had a problem before?

     

    Thank you,

     

    Ed

     



  • 2.  RE: IAP - Invalid certificate message when redirected to an external portal

    EMPLOYEE
    Posted Aug 27, 2018 11:31 AM

    Dns requests to the fqdn of the instant certificate will be hijacked and responded to by the ip address on the guest network of the instant cluster.

     

    The Captive Portal certificate on clearpass is separate.  Is the External Captive Portal profile on instant redirecting users using an ip address or the fqdn of the Captive Portal certificate on ClearPass?  Is the fqdn of the Captive Portal certificate on ClearPass resolvable in DNS?



  • 3.  RE: IAP - Invalid certificate message when redirected to an external portal

    Posted Aug 27, 2018 12:37 PM

    Hi Cjoseph,

     

    The External Captive Portal profile on instant redirecting users using the fqdn of the Captive Portal certificate on ClearPass.

     

    The fqdn of the Captive Portal certificate on ClearPass is resolvable in DNS. 

     

    The strange thing is that the user receives the certificate error message for instant.mydomain.com and not Captive Portal certificate on ClearPass. Does it make sense?

     

    Thank you

     



  • 4.  RE: IAP - Invalid certificate message when redirected to an external portal

    EMPLOYEE
    Posted Aug 27, 2018 01:04 PM

    - What is the message?

    - What CA did you get the certificate from and how did you combine the server certificate for Instant?



  • 5.  RE: IAP - Invalid certificate message when redirected to an external portal

    Posted Aug 28, 2018 09:25 AM

    * instant.mydomain.com  = ap.clubefato.com.br

    When the user opens the browser and tries to access the internet this error message is displayed:


    Pic-Cert Error.JPG

    The user clicks advanced and trusts this certificate and then is directed to the clearpass portal. (Portal with valid certificate that does not present errors).

     

    When we try to acess the instant web administration on corporate network typing the fqdn ap.clubefato.com.br. The certficate is valid and no errors appear.

     

    The certificate was issued by COMODO CA.  The certificate was combined following this topic.

     

    https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025