Controllerless Networks

I am working on an issue where after a guest user successfully logs on via the web portal for our guest WLAN, there is a certificate error because the certificate used for the re direct (securelogon.hpe.com) does not match the redirect URL. I'm not even sure why the HPE certificate even comes into play at all. Here are the basics of the set up.

APs are all Instant AP515s that are managed in Aruba Central.

The Web portal for the Guest WLAN is hosted on our ClearPass Cluster.

The ClearPass server and web portal use a https certificate that is signed by Entrust. 

When a Guest connects to the WLAN, they are directed to the web logon page hosted on our Clearpass as they should be. The logon page loads without any errors and the correct certificate is used.

The user enters valid credentials and accepts the usage terms and the authentication succeeds with an accept message sent back to the AP from the ClearPass RADIUS server and the "GUEST" role is assigned to the user. At this point the authenticated Guest user is redirected to our corporate website (ocdsb.ca) as a landing/welcome page and this is where the problem occurs. For some reason the (securelogon.hpe.com) certificate is being associated with (ocdsb.ca) and there is of course an error because the CN does not match.

Any advice would be greatly appreciated as I keep getting passed back and forth by TAC between the AP/Central team and the ClearPass team.

Cheers.

Two certificates are required when using a controller initiated logon flow, one on the captive portal and one at the network device.

Basic diagram of captive portal login using controller initiated:

If you don't have a valid certificate on the network device and configure the captive portal to use that FQDN for login, then you'll end up with SSL errors.

I am working on an issue where after a guest user successfully logs on via the web portal for our guest WLAN, there is a certificate error because the certificate used for the re direct (securelogon.hpe.com) does not match the redirect URL. I'm not even sure why the HPE certificate even comes into play at all. Here are the basics of the set up.

APs are all Instant AP515s that are managed in Aruba Central.

The Web portal for the Guest WLAN is hosted on our ClearPass Cluster.

The ClearPass server and web portal use a https certificate that is signed by Entrust. 

When a Guest connects to the WLAN, they are directed to the web logon page hosted on our Clearpass as they should be. The logon page loads without any errors and the correct certificate is used.

The user enters valid credentials and accepts the usage terms and the authentication succeeds with an accept message sent back to the AP from the ClearPass RADIUS server and the "GUEST" role is assigned to the user. At this point the authenticated Guest user is redirected to our corporate website (ocdsb.ca) as a landing/welcome page and this is where the problem occurs. For some reason the (securelogon.hpe.com) certificate is being associated with (ocdsb.ca) and there is of course an error because the CN does not match.

Any advice would be greatly appreciated as I keep getting passed back and forth by TAC between the AP/Central team and the ClearPass team.

Cheers.

Thank You chulcher for this information.

My Network Devices/APs have valid certificates installed via aruba central. Bothe the cert for the clearpass web portal and the corporate web page are there.

The ClearPass server itself has the https certificate installed which is used for both the Management webUI and the Guest Captive portal.  

My feeling is that the issue may be located in the ClearPass Guest configuration for the web logon page.

Specifically this part.

My feeling is that the highlighted line should not be (securelogon.hpe.com) should that not be ocdsb.ca? the redirect URL configured on the APs?

I am hesitant to change it though because it was TAC that told me to put that value there a few years back and up until this error showed up, everything has been fine.

The only other change that has been made recently is that the https certificate used for the web logon page expired and was renewed back in mid January, but as I mentioned, that new certificate is installed on both the APs and the ClearPass Cluster.

Original Message:
Sent: Feb 27, 2024 10:44 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Two certificates are required when using a controller initiated logon flow, one on the captive portal and one at the network device.

Basic diagram of captive portal login using controller initiated:

If you don't have a valid certificate on the network device and configure the captive portal to use that FQDN for login, then you'll end up with SSL errors.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 10:21 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I am working on an issue where after a guest user successfully logs on via the web portal for our guest WLAN, there is a certificate error because the certificate used for the re direct (securelogon.hpe.com) does not match the redirect URL. I'm not even sure why the HPE certificate even comes into play at all. Here are the basics of the set up.

APs are all Instant AP515s that are managed in Aruba Central.

The Web portal for the Guest WLAN is hosted on our ClearPass Cluster.

The ClearPass server and web portal use a https certificate that is signed by Entrust. 

When a Guest connects to the WLAN, they are directed to the web logon page hosted on our Clearpass as they should be. The logon page loads without any errors and the correct certificate is used.

The user enters valid credentials and accepts the usage terms and the authentication succeeds with an accept message sent back to the AP from the ClearPass RADIUS server and the "GUEST" role is assigned to the user. At this point the authenticated Guest user is redirected to our corporate website (ocdsb.ca) as a landing/welcome page and this is where the problem occurs. For some reason the (securelogon.hpe.com) certificate is being associated with (ocdsb.ca) and there is of course an error because the CN does not match.

Any advice would be greatly appreciated as I keep getting passed back and forth by TAC between the AP/Central team and the ClearPass team.

Cheers.

I'm going to guess that since you mention Central this is an IAP deployment?

The "Address" field in the ClearPass configuration must match the Common Name of the certificate used by the IAP for the captive portal purpose.  Since you are Central managed you have two valid options here, you can load your own certificate and specify that to be used for captive portal or you can use the one provided by Central.

Example:

I have this group configured to use aruba_default.

Default = the default certificate on the IAP, don't use this, CN = securelogin.arubanetworks.com

aruba_default = Certificate managed by Central, CN = securelogin.hpe.com

<custom> = Certificate that you have loaded into the Central certificate store

The easiest option is to use 'aruba_default' as that is automatically renewed and assigned, requiring no maintenance from you.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 11:08 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Thank You chulcher for this information.

My Network Devices/APs have valid certificates installed via aruba central. Bothe the cert for the clearpass web portal and the corporate web page are there.

The ClearPass server itself has the https certificate installed which is used for both the Management webUI and the Guest Captive portal.  

My feeling is that the issue may be located in the ClearPass Guest configuration for the web logon page.

Specifically this part.

My feeling is that the highlighted line should not be (securelogon.hpe.com) should that not be ocdsb.ca? the redirect URL configured on the APs?

I am hesitant to change it though because it was TAC that told me to put that value there a few years back and up until this error showed up, everything has been fine.

The only other change that has been made recently is that the https certificate used for the web logon page expired and was renewed back in mid January, but as I mentioned, that new certificate is installed on both the APs and the ClearPass Cluster.

Original Message:
Sent: Feb 27, 2024 10:44 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Two certificates are required when using a controller initiated logon flow, one on the captive portal and one at the network device.

Basic diagram of captive portal login using controller initiated:

If you don't have a valid certificate on the network device and configure the captive portal to use that FQDN for login, then you'll end up with SSL errors.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 10:21 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I am working on an issue where after a guest user successfully logs on via the web portal for our guest WLAN, there is a certificate error because the certificate used for the re direct (securelogon.hpe.com) does not match the redirect URL. I'm not even sure why the HPE certificate even comes into play at all. Here are the basics of the set up.

APs are all Instant AP515s that are managed in Aruba Central.

The Web portal for the Guest WLAN is hosted on our ClearPass Cluster.

The ClearPass server and web portal use a https certificate that is signed by Entrust. 

When a Guest connects to the WLAN, they are directed to the web logon page hosted on our Clearpass as they should be. The logon page loads without any errors and the correct certificate is used.

The user enters valid credentials and accepts the usage terms and the authentication succeeds with an accept message sent back to the AP from the ClearPass RADIUS server and the "GUEST" role is assigned to the user. At this point the authenticated Guest user is redirected to our corporate website (ocdsb.ca) as a landing/welcome page and this is where the problem occurs. For some reason the (securelogon.hpe.com) certificate is being associated with (ocdsb.ca) and there is of course an error because the CN does not match.

Any advice would be greatly appreciated as I keep getting passed back and forth by TAC between the AP/Central team and the ClearPass team.

Cheers.

Yes they are all IAP515s, sorry, I thought I mentioned that.

Here is what I have in the Central Configuration. I am not using the Aruba Default.

In the certificate store on Aruba Central I have 4 certificates.

I have erased the full names for obvious reasons but the First cert is for the web logon page and the second is for our corporate webpage where the user gets redirected after authentication. I think I have everything configured as you indicate it should be, with the exception of that address field in the ClearPass config. My question is should it be that address of the portal web logon page or the (ocdsb.ca) that the APs are configured to redirect to?

Original Message:
Sent: Feb 27, 2024 11:22 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I'm going to guess that since you mention Central this is an IAP deployment?

The "Address" field in the ClearPass configuration must match the Common Name of the certificate used by the IAP for the captive portal purpose.  Since you are Central managed you have two valid options here, you can load your own certificate and specify that to be used for captive portal or you can use the one provided by Central.

Example:

I have this group configured to use aruba_default.

Default = the default certificate on the IAP, don't use this, CN = securelogin.arubanetworks.com

aruba_default = Certificate managed by Central, CN = securelogin.hpe.com

<custom> = Certificate that you have loaded into the Central certificate store

The easiest option is to use 'aruba_default' as that is automatically renewed and assigned, requiring no maintenance from you.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 11:08 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Thank You chulcher for this information.

My Network Devices/APs have valid certificates installed via aruba central. Bothe the cert for the clearpass web portal and the corporate web page are there.

The ClearPass server itself has the https certificate installed which is used for both the Management webUI and the Guest Captive portal.  

My feeling is that the issue may be located in the ClearPass Guest configuration for the web logon page.

Specifically this part.

My feeling is that the highlighted line should not be (securelogon.hpe.com) should that not be ocdsb.ca? the redirect URL configured on the APs?

I am hesitant to change it though because it was TAC that told me to put that value there a few years back and up until this error showed up, everything has been fine.

The only other change that has been made recently is that the https certificate used for the web logon page expired and was renewed back in mid January, but as I mentioned, that new certificate is installed on both the APs and the ClearPass Cluster.

Original Message:
Sent: Feb 27, 2024 10:44 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Two certificates are required when using a controller initiated logon flow, one on the captive portal and one at the network device.

Basic diagram of captive portal login using controller initiated:

If you don't have a valid certificate on the network device and configure the captive portal to use that FQDN for login, then you'll end up with SSL errors.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 10:21 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I am working on an issue where after a guest user successfully logs on via the web portal for our guest WLAN, there is a certificate error because the certificate used for the re direct (securelogon.hpe.com) does not match the redirect URL. I'm not even sure why the HPE certificate even comes into play at all. Here are the basics of the set up.

APs are all Instant AP515s that are managed in Aruba Central.

The Web portal for the Guest WLAN is hosted on our ClearPass Cluster.

The ClearPass server and web portal use a https certificate that is signed by Entrust. 

When a Guest connects to the WLAN, they are directed to the web logon page hosted on our Clearpass as they should be. The logon page loads without any errors and the correct certificate is used.

The user enters valid credentials and accepts the usage terms and the authentication succeeds with an accept message sent back to the AP from the ClearPass RADIUS server and the "GUEST" role is assigned to the user. At this point the authenticated Guest user is redirected to our corporate website (ocdsb.ca) as a landing/welcome page and this is where the problem occurs. For some reason the (securelogon.hpe.com) certificate is being associated with (ocdsb.ca) and there is of course an error because the CN does not match.

Any advice would be greatly appreciated as I keep getting passed back and forth by TAC between the AP/Central team and the ClearPass team.

Cheers.

You did mention, I just missed the line in the original post.

None of these screen shots show the certificate being chosen for captive portal purposes, that is under Security > Certificate Usage > Certificate Usage.

You shouldn't need any certificates loaded in Central for your corporate webpage.

Yes they are all IAP515s, sorry, I thought I mentioned that.

Here is what I have in the Central Configuration. I am not using the Aruba Default.

In the certificate store on Aruba Central I have 4 certificates.

I have erased the full names for obvious reasons but the First cert is for the web logon page and the second is for our corporate webpage where the user gets redirected after authentication. I think I have everything configured as you indicate it should be, with the exception of that address field in the ClearPass config. My question is should it be that address of the portal web logon page or the (ocdsb.ca) that the APs are configured to redirect to?

Original Message:
Sent: Feb 27, 2024 11:22 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I'm going to guess that since you mention Central this is an IAP deployment?

The "Address" field in the ClearPass configuration must match the Common Name of the certificate used by the IAP for the captive portal purpose.  Since you are Central managed you have two valid options here, you can load your own certificate and specify that to be used for captive portal or you can use the one provided by Central.

Example:

I have this group configured to use aruba_default.

Default = the default certificate on the IAP, don't use this, CN = securelogin.arubanetworks.com

aruba_default = Certificate managed by Central, CN = securelogin.hpe.com

<custom> = Certificate that you have loaded into the Central certificate store

The easiest option is to use 'aruba_default' as that is automatically renewed and assigned, requiring no maintenance from you.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 11:08 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Thank You chulcher for this information.

My Network Devices/APs have valid certificates installed via aruba central. Bothe the cert for the clearpass web portal and the corporate web page are there.

The ClearPass server itself has the https certificate installed which is used for both the Management webUI and the Guest Captive portal.  

My feeling is that the issue may be located in the ClearPass Guest configuration for the web logon page.

Specifically this part.

My feeling is that the highlighted line should not be (securelogon.hpe.com) should that not be ocdsb.ca? the redirect URL configured on the APs?

I am hesitant to change it though because it was TAC that told me to put that value there a few years back and up until this error showed up, everything has been fine.

The only other change that has been made recently is that the https certificate used for the web logon page expired and was renewed back in mid January, but as I mentioned, that new certificate is installed on both the APs and the ClearPass Cluster.

Original Message:
Sent: Feb 27, 2024 10:44 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Two certificates are required when using a controller initiated logon flow, one on the captive portal and one at the network device.

Basic diagram of captive portal login using controller initiated:

If you don't have a valid certificate on the network device and configure the captive portal to use that FQDN for login, then you'll end up with SSL errors.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 10:21 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I am working on an issue where after a guest user successfully logs on via the web portal for our guest WLAN, there is a certificate error because the certificate used for the re direct (securelogon.hpe.com) does not match the redirect URL. I'm not even sure why the HPE certificate even comes into play at all. Here are the basics of the set up.

APs are all Instant AP515s that are managed in Aruba Central.

The Web portal for the Guest WLAN is hosted on our ClearPass Cluster.

The ClearPass server and web portal use a https certificate that is signed by Entrust. 

When a Guest connects to the WLAN, they are directed to the web logon page hosted on our Clearpass as they should be. The logon page loads without any errors and the correct certificate is used.

The user enters valid credentials and accepts the usage terms and the authentication succeeds with an accept message sent back to the AP from the ClearPass RADIUS server and the "GUEST" role is assigned to the user. At this point the authenticated Guest user is redirected to our corporate website (ocdsb.ca) as a landing/welcome page and this is where the problem occurs. For some reason the (securelogon.hpe.com) certificate is being associated with (ocdsb.ca) and there is of course an error because the CN does not match.

Any advice would be greatly appreciated as I keep getting passed back and forth by TAC between the AP/Central team and the ClearPass team.

Cheers.

So here?

and the "Captive Portal" field should be the certificate used by the web logon page?

You did mention, I just missed the line in the original post.

None of these screen shots show the certificate being chosen for captive portal purposes, that is under Security > Certificate Usage > Certificate Usage.

You shouldn't need any certificates loaded in Central for your corporate webpage.

Yes they are all IAP515s, sorry, I thought I mentioned that.

Here is what I have in the Central Configuration. I am not using the Aruba Default.

In the certificate store on Aruba Central I have 4 certificates.

I have erased the full names for obvious reasons but the First cert is for the web logon page and the second is for our corporate webpage where the user gets redirected after authentication. I think I have everything configured as you indicate it should be, with the exception of that address field in the ClearPass config. My question is should it be that address of the portal web logon page or the (ocdsb.ca) that the APs are configured to redirect to?

Original Message:
Sent: Feb 27, 2024 11:22 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I'm going to guess that since you mention Central this is an IAP deployment?

The "Address" field in the ClearPass configuration must match the Common Name of the certificate used by the IAP for the captive portal purpose.  Since you are Central managed you have two valid options here, you can load your own certificate and specify that to be used for captive portal or you can use the one provided by Central.

Example:

I have this group configured to use aruba_default.

Default = the default certificate on the IAP, don't use this, CN = securelogin.arubanetworks.com

aruba_default = Certificate managed by Central, CN = securelogin.hpe.com

<custom> = Certificate that you have loaded into the Central certificate store

The easiest option is to use 'aruba_default' as that is automatically renewed and assigned, requiring no maintenance from you.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 11:08 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Thank You chulcher for this information.

My Network Devices/APs have valid certificates installed via aruba central. Bothe the cert for the clearpass web portal and the corporate web page are there.

The ClearPass server itself has the https certificate installed which is used for both the Management webUI and the Guest Captive portal.  

My feeling is that the issue may be located in the ClearPass Guest configuration for the web logon page.

Specifically this part.

My feeling is that the highlighted line should not be (securelogon.hpe.com) should that not be ocdsb.ca? the redirect URL configured on the APs?

I am hesitant to change it though because it was TAC that told me to put that value there a few years back and up until this error showed up, everything has been fine.

The only other change that has been made recently is that the https certificate used for the web logon page expired and was renewed back in mid January, but as I mentioned, that new certificate is installed on both the APs and the ClearPass Cluster.

Original Message:
Sent: Feb 27, 2024 10:44 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Two certificates are required when using a controller initiated logon flow, one on the captive portal and one at the network device.

Basic diagram of captive portal login using controller initiated:

If you don't have a valid certificate on the network device and configure the captive portal to use that FQDN for login, then you'll end up with SSL errors.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 10:21 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I am working on an issue where after a guest user successfully logs on via the web portal for our guest WLAN, there is a certificate error because the certificate used for the re direct (securelogon.hpe.com) does not match the redirect URL. I'm not even sure why the HPE certificate even comes into play at all. Here are the basics of the set up.

APs are all Instant AP515s that are managed in Aruba Central.

The Web portal for the Guest WLAN is hosted on our ClearPass Cluster.

The ClearPass server and web portal use a https certificate that is signed by Entrust. 

When a Guest connects to the WLAN, they are directed to the web logon page hosted on our Clearpass as they should be. The logon page loads without any errors and the correct certificate is used.

The user enters valid credentials and accepts the usage terms and the authentication succeeds with an accept message sent back to the AP from the ClearPass RADIUS server and the "GUEST" role is assigned to the user. At this point the authenticated Guest user is redirected to our corporate website (ocdsb.ca) as a landing/welcome page and this is where the problem occurs. For some reason the (securelogon.hpe.com) certificate is being associated with (ocdsb.ca) and there is of course an error because the CN does not match.

Any advice would be greatly appreciated as I keep getting passed back and forth by TAC between the AP/Central team and the ClearPass team.

Cheers.

That is the correct location for configuration, yes.

The certificate used should be whichever one you want to use, but the CN of the certificate also needs to match the Address field.

So here?

and the "Captive Portal" field should be the certificate used by the web logon page?

You did mention, I just missed the line in the original post.

None of these screen shots show the certificate being chosen for captive portal purposes, that is under Security > Certificate Usage > Certificate Usage.

You shouldn't need any certificates loaded in Central for your corporate webpage.

Yes they are all IAP515s, sorry, I thought I mentioned that.

Here is what I have in the Central Configuration. I am not using the Aruba Default.

In the certificate store on Aruba Central I have 4 certificates.

I have erased the full names for obvious reasons but the First cert is for the web logon page and the second is for our corporate webpage where the user gets redirected after authentication. I think I have everything configured as you indicate it should be, with the exception of that address field in the ClearPass config. My question is should it be that address of the portal web logon page or the (ocdsb.ca) that the APs are configured to redirect to?

Original Message:
Sent: Feb 27, 2024 11:22 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I'm going to guess that since you mention Central this is an IAP deployment?

The "Address" field in the ClearPass configuration must match the Common Name of the certificate used by the IAP for the captive portal purpose.  Since you are Central managed you have two valid options here, you can load your own certificate and specify that to be used for captive portal or you can use the one provided by Central.

Example:

I have this group configured to use aruba_default.

Default = the default certificate on the IAP, don't use this, CN = securelogin.arubanetworks.com

aruba_default = Certificate managed by Central, CN = securelogin.hpe.com

<custom> = Certificate that you have loaded into the Central certificate store

The easiest option is to use 'aruba_default' as that is automatically renewed and assigned, requiring no maintenance from you.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 11:08 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Thank You chulcher for this information.

My Network Devices/APs have valid certificates installed via aruba central. Bothe the cert for the clearpass web portal and the corporate web page are there.

The ClearPass server itself has the https certificate installed which is used for both the Management webUI and the Guest Captive portal.  

My feeling is that the issue may be located in the ClearPass Guest configuration for the web logon page.

Specifically this part.

My feeling is that the highlighted line should not be (securelogon.hpe.com) should that not be ocdsb.ca? the redirect URL configured on the APs?

I am hesitant to change it though because it was TAC that told me to put that value there a few years back and up until this error showed up, everything has been fine.

The only other change that has been made recently is that the https certificate used for the web logon page expired and was renewed back in mid January, but as I mentioned, that new certificate is installed on both the APs and the ClearPass Cluster.

Original Message:
Sent: Feb 27, 2024 10:44 AM
From: chulcher
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

Two certificates are required when using a controller initiated logon flow, one on the captive portal and one at the network device.

Basic diagram of captive portal login using controller initiated:

If you don't have a valid certificate on the network device and configure the captive portal to use that FQDN for login, then you'll end up with SSL errors.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Feb 27, 2024 10:21 AM
From: Tpelley
Subject: Redirect url uses wrong certificate after successful Captive Portal Authentication.

I am working on an issue where after a guest user successfully logs on via the web portal for our guest WLAN, there is a certificate error because the certificate used for the re direct (securelogon.hpe.com) does not match the redirect URL. I'm not even sure why the HPE certificate even comes into play at all. Here are the basics of the set up.

APs are all Instant AP515s that are managed in Aruba Central.

The Web portal for the Guest WLAN is hosted on our ClearPass Cluster.

The ClearPass server and web portal use a https certificate that is signed by Entrust. 

When a Guest connects to the WLAN, they are directed to the web logon page hosted on our Clearpass as they should be. The logon page loads without any errors and the correct certificate is used.

The user enters valid credentials and accepts the usage terms and the authentication succeeds with an accept message sent back to the AP from the ClearPass RADIUS server and the "GUEST" role is assigned to the user. At this point the authenticated Guest user is redirected to our corporate website (ocdsb.ca) as a landing/welcome page and this is where the problem occurs. For some reason the (securelogon.hpe.com) certificate is being associated with (ocdsb.ca) and there is of course an error because the CN does not match.

Any advice would be greatly appreciated as I keep getting passed back and forth by TAC between the AP/Central team and the ClearPass team.

Cheers.