Security

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

Thanks for the reply.  No.  I get the Clearpass captive portal page.  I enter my Guest credentials, click connect, then I get the warning.

generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?

Thanks for the reply.  No.  I get the Clearpass captive portal page.  I enter my Guest credentials, click connect, then I get the warning.

generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

I beleve this is the setting:  my understanding this is what to use if you're using a wildcard certificate.

in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?

Thanks for the reply.  No.  I get the Clearpass captive portal page.  I enter my Guest credentials, click connect, then I get the warning.

generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

ok this setting is correct, so now the controller should have a wildcard cert with that domain. 

what is the SAN field of the wild card cert that you have installed on the controller for captive portal usage?

I beleve this is the setting:  my understanding this is what to use if you're using a wildcard certificate.

in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?

Thanks for the reply.  No.  I get the Clearpass captive portal page.  I enter my Guest credentials, click connect, then I get the warning.

generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

oh.  I didn't add a SAN when I bought it.  Will I need to have it reissued with a SAN that reads captiveportal-login.domain.com?  I would like to use this for my Clearpass server too.  Maybe I should have both names added?

ok this setting is correct, so now the controller should have a wildcard cert with that domain. 

what is the SAN field of the wild card cert that you have installed on the controller for captive portal usage?

I beleve this is the setting:  my understanding this is what to use if you're using a wildcard certificate.

in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?

Thanks for the reply.  No.  I get the Clearpass captive portal page.  I enter my Guest credentials, click connect, then I get the warning.

generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

yes you need SAN field for wildcard certs and you could use it for your clearpass node as well. 

no you should not add captiveportal-login.domain.com as a SAN. 

"captiveportal-login" just tells the controller / IAP to use their wildcard cert for captive portal redirection.

oh.  I didn't add a SAN when I bought it.  Will I need to have it reissued with a SAN that reads captiveportal-login.domain.com?  I would like to use this for my Clearpass server too.  Maybe I should have both names added?

ok this setting is correct, so now the controller should have a wildcard cert with that domain. 

what is the SAN field of the wild card cert that you have installed on the controller for captive portal usage?

I beleve this is the setting:  my understanding this is what to use if you're using a wildcard certificate.

in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?

Thanks for the reply.  No.  I get the Clearpass captive portal page.  I enter my Guest credentials, click connect, then I get the warning.

generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

Thanks for your help ariyap.  I was able to reissue the certificate with the SANs.  I've installed it on the controller and assigned it to the captive portal.  But I'm still getting the error with the new certificate.  Any other ideas?

yes you need SAN field for wildcard certs and you could use it for your clearpass node as well. 

no you should not add captiveportal-login.domain.com as a SAN. 

"captiveportal-login" just tells the controller / IAP to use their wildcard cert for captive portal redirection.

oh.  I didn't add a SAN when I bought it.  Will I need to have it reissued with a SAN that reads captiveportal-login.domain.com?  I would like to use this for my Clearpass server too.  Maybe I should have both names added?

ok this setting is correct, so now the controller should have a wildcard cert with that domain. 

what is the SAN field of the wild card cert that you have installed on the controller for captive portal usage?

I beleve this is the setting:  my understanding this is what to use if you're using a wildcard certificate.

in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?

Thanks for the reply.  No.  I get the Clearpass captive portal page.  I enter my Guest credentials, click connect, then I get the warning.

generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help

you should not add captiveportal-login.domain.com as a SAN. 

Thanks for your help ariyap.  I was able to reissue the certificate with the SANs.  I've installed it on the controller and assigned it to the captive portal.  But I'm still getting the error with the new certificate.  Any other ideas?

yes you need SAN field for wildcard certs and you could use it for your clearpass node as well. 

no you should not add captiveportal-login.domain.com as a SAN. 

"captiveportal-login" just tells the controller / IAP to use their wildcard cert for captive portal redirection.

oh.  I didn't add a SAN when I bought it.  Will I need to have it reissued with a SAN that reads captiveportal-login.domain.com?  I would like to use this for my Clearpass server too.  Maybe I should have both names added?

ok this setting is correct, so now the controller should have a wildcard cert with that domain. 

what is the SAN field of the wild card cert that you have installed on the controller for captive portal usage?

I beleve this is the setting:  my understanding this is what to use if you're using a wildcard certificate.

in the weblogin page that you have configured on ClearPass guest, what hostname are you using in the "Login" section of that weblogin?

Thanks for the reply.  No.  I get the Clearpass captive portal page.  I enter my Guest credentials, click connect, then I get the warning.

generally when the client first connect to Guest  network the initial splash pages comes from ClearPass guest. is that when the client is getting the warning?

BTW, My Clearpass server has its own certificate clearpass.domain.com.  It's not using the wildcard

Hi All,

I've setup a guest Wi-Fi with my Aruba controllers and Clearpass standalone.  I have a wildcard certificate I installed on the controller for *.domain.com with the use of "ServerCert." 

Once I installed the certificate on the controller, I can click on it and see the "issued to" name is *.domain.com

I also installed the intermediate and root certificates with uses of "intermediateCA" and "TrustedCa" respectively.

I then went to System -> Profiles -> Otherprofiles -> Web server configuration and set the captive portal certificate to the server certificate I just installed.

For Clearpass, I installed the wildcard intermediate and root in the Trusted list.

When the client connects, I get a certificate error that "Unable to verify the identity of the website captiveportal-login.domain.com."  If I click show certificatae, I can see our wildcard, I can see it's not expired, but it reads, "*.domain.com is not trusted."

Does this need Internet access to validate the certificate?  My Guest-logon role only allows internal access to Clearpass.  Am I using the incorrect web site for the captiveportal login?

Thanks for your help