Wireless Access

Contributor I

certificate resolution

I wan't to advise a customer on what DNS entry they may need to put into their server for a guest WLAN.

Does the name on the controllers captive portal certificate need to resolve to the IP address of the device or does it not matter.

I came across a document that says the name should not be resolvable but I'm not sure whether this is an official document so want to make sure on this point.

If there are multiple controllers with the same certificate how does resolution work in this scenario.

Also would it cause an issue if the same cert was used both on the controllers and clearpass - I would recommend against it but the customer has put the same cert on both and want to know whether this would definitely cause an issue.

MVP Guru

Re: certificate resolution

The CPPM certificates should contain the DNS (SAN) names as to where the Captive Portal is hosted. A DNS record should be also in place which matches the DNS names specified in the CPPM certificate (so the DNS would resolve the URL to CPPM). This way, from the clients browsers perspective they are always visiting the same URL.


The certificate on the controller, does not need to be resolvable it is merely to intercept the HTTPS request.


Take a look at the below, this is a really helpful resource.



If my post addresses your query, give kudos:)
Guru Elite

Re: certificate resolution

A DNS entry should not be configured in the infrastructure for the fqdn of the Captive Portal Certificate on the controller.  The controller automatically intercepts DNS requests for the FQDN of the Captive Portal Certificate from WLAN clients and responds with the ip address of the controller that the client is on.  This is used for the initial Captive Portal redirect and Captive Portal Authentication later.


The customer should and must use 2 different public certificates for the Controller Captive Portal and the ClearPass Server.  Since the controller will intercept DNS requests for the fqdn of the certificate imported into the captive portal on the controller, the admin will never be able to send clients to the ClearPass server in the Captive Portal Authentication logon page parameter, because the controller will always answer with its ip address, creating a loop.


You should create a DNS entry for the ClearPass server in the infrastructure based on the fqdn of the ClearPass Captive Portal Certificate, however.  Please read the Clearpass Certificates 101 document here for details:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33288


Multiple Controllers can and should use the same certificate, because the controller always responds to the client with the ip cp-redirect-address of the controller that the client is on for DNS requests for the fqdn of the controller's captive portal certificate.  Create the CSR for the controller captive portal certificate offline, however.  If you create it on a single controller, the certificate will only work on the controller that you created the CSR on.


If using ArubaOS 8.x with an MM, the admin should import the controller's captive portal certificate by navigating to the highest level folder where all controllers would need access on the MM at Configuration> System> Certificates.  Click on the + Sign to Import.  Give it a friendly non-cryptic name that means something and make sure the certificate type is ServerCert.  After that is saved and pushed, you need to assign that certificate to the Captive Portal of your MDs.  You would do this by agan making sure you are at the highest folder of the heirarchy of all the MDs that you want to share the Captive Portal Certificate.  Then to go Configuration> System> More> General > Captive Portal Certificate and select the Server Certificate to be the friendly name of the certificate you just imported:

Screenshot 2020-01-08 at 04.55.08.png


That will make all of your MDs use the same certificate.

Make sure while on this page, you navigate down to each MD to ensure they are all pointing to the certificate you imported and that there is no blue dot on this parameter.  If you changed this parameter at the MD level at any time, it will override whatever you did higher up in the hierarchy.


Yes it would cause an issue if the same cert is on clearpass and the MDs, because the controller always intercepts dns requests to the fqdn of the certificate with its own ip address.  Also, the form in ClearPass needs to reference the fqdn of the controller when doing the submit for captive portal authentication.  Lastly, you need to initially forward Clients to the fqdn of the ClearPass page in the "logon page" parameter of the Captive Portal Authentication profile, and that will not work, if that same fqdn is on the controller certificate.


I hope that helps in any way,...

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba Technical Webinars
Search Airheads
Showing results for 
Search instead for 
Did you mean: