Wireless Access

last person joined: 17 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

certificate resolution

This thread has been viewed 19 times

  • 1.  certificate resolution

    Posted Jan 08, 2020 05:05 AM

    I wan't to advise a customer on what DNS entry they may need to put into their server for a guest WLAN.

    Does the name on the controllers captive portal certificate need to resolve to the IP address of the device or does it not matter.

    I came across a document that says the name should not be resolvable but I'm not sure whether this is an official document so want to make sure on this point.

    If there are multiple controllers with the same certificate how does resolution work in this scenario.

    Also would it cause an issue if the same cert was used both on the controllers and clearpass - I would recommend against it but the customer has put the same cert on both and want to know whether this would definitely cause an issue.



  • 2.  RE: certificate resolution

    MVP EXPERT
    Posted Jan 08, 2020 05:29 AM

    The CPPM certificates should contain the DNS (SAN) names as to where the Captive Portal is hosted. A DNS record should be also in place which matches the DNS names specified in the CPPM certificate (so the DNS would resolve the URL to CPPM). This way, from the clients browsers perspective they are always visiting the same URL.

     

    The certificate on the controller, does not need to be resolvable it is merely to intercept the HTTPS request.

     

    Take a look at the below, this is a really helpful resource.

     

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_ViewDetails/Default.aspx?EntryId=19184



  • 3.  RE: certificate resolution
    Best Answer

    EMPLOYEE
    Posted Jan 08, 2020 06:01 AM

    A DNS entry should not be configured in the infrastructure for the fqdn of the Captive Portal Certificate on the controller.  The controller automatically intercepts DNS requests for the FQDN of the Captive Portal Certificate from WLAN clients and responds with the ip address of the controller that the client is on.  This is used for the initial Captive Portal redirect and Captive Portal Authentication later.

     

    The customer should and must use 2 different public certificates for the Controller Captive Portal and the ClearPass Server.  Since the controller will intercept DNS requests for the fqdn of the certificate imported into the captive portal on the controller, the admin will never be able to send clients to the ClearPass server in the Captive Portal Authentication logon page parameter, because the controller will always answer with its ip address, creating a loop.

     

    You should create a DNS entry for the ClearPass server in the infrastructure based on the fqdn of the ClearPass Captive Portal Certificate, however.  Please read the Clearpass Certificates 101 document here for details:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=33288

     

    Multiple Controllers can and should use the same certificate, because the controller always responds to the client with the ip cp-redirect-address of the controller that the client is on for DNS requests for the fqdn of the controller's captive portal certificate.  Create the CSR for the controller captive portal certificate offline, however.  If you create it on a single controller, the certificate will only work on the controller that you created the CSR on.

     

    If using ArubaOS 8.x with an MM, the admin should import the controller's captive portal certificate by navigating to the highest level folder where all controllers would need access on the MM at Configuration> System> Certificates.  Click on the + Sign to Import.  Give it a friendly non-cryptic name that means something and make sure the certificate type is ServerCert.  After that is saved and pushed, you need to assign that certificate to the Captive Portal of your MDs.  You would do this by agan making sure you are at the highest folder of the heirarchy of all the MDs that you want to share the Captive Portal Certificate.  Then to go Configuration> System> More> General > Captive Portal Certificate and select the Server Certificate to be the friendly name of the certificate you just imported:

    Screenshot 2020-01-08 at 04.55.08.png

     

    That will make all of your MDs use the same certificate.

    Make sure while on this page, you navigate down to each MD to ensure they are all pointing to the certificate you imported and that there is no blue dot on this parameter.  If you changed this parameter at the MD level at any time, it will override whatever you did higher up in the hierarchy.

     

    Yes it would cause an issue if the same cert is on clearpass and the MDs, because the controller always intercepts dns requests to the fqdn of the certificate with its own ip address.  Also, the form in ClearPass needs to reference the fqdn of the controller when doing the submit for captive portal authentication.  Lastly, you need to initially forward Clients to the fqdn of the ClearPass page in the "logon page" parameter of the Captive Portal Authentication profile, and that will not work, if that same fqdn is on the controller certificate.

     

    I hope that helps in any way,...