Security

 View Only

  • 1.  Clearpass Guest Access-Address field confusion

    Posted Jul 04, 2025 11:40 AM
    As per my understanding, in a controller-initiated method, after the client submits the guest form via his browser, the ClearPass guest instructs the web browser of guest device to post the credentials to the NAD device address(aruba controller for example), and this address should match the cn of server cert installed on the NAD device. My confusion here is that how the user device will resolve this address ? how the device's browser will figure out the ip of the NAD device ? 
    I did several tests in my lab, after submitting the form, the browser is redirected successfully to that Address, but the page is failing because the cn is not resolvable, the only way to make it work is to enter a static entry in the etc/host in the device i'm testing from, i believe i'm missing something here but i cannot figure out what it is. I saw one deployment where there are multiple branches with multiple controllers and instant VCs, all using same public cert and same self-registration page on cppm, so how this is possible ?


  • 2.  RE: Clearpass Guest Access-Address field confusion

    Posted Jul 04, 2025 12:39 PM

    When Aruba devices are used as NAD, the AP or controller will intercept the DNS request and respond with the AP/controller IP. It's not needed to create a DNS record on any DNS zone.

    If non Aruba devices are used the behavior can be different. 



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------



  • 3.  RE: Clearpass Guest Access-Address field confusion

    Posted Jul 04, 2025 01:10 PM

    Dear Willem

    Thanks for your answer, this makes much more sense now.  However, it is still not working in my case and stuck in the NAD fqdn redirect page. Is there an option on the controller or instant ap to enable this behavior, may you also clarify how the NAD device will intercept the dns traffic as it is being sent as unicast to the received dns server through dhcp ...  


    Original Message


  • 4.  RE: Clearpass Guest Access-Address field confusion
    Best Answer

    Posted Jul 04, 2025 02:46 PM

    The FQDN is retrieved from the CN field in the certificate that is installed on the controller / instant AP. AP's managed via Aruba Central will automatically get the certificate securelogin.hpe.com. 

    To check the correct FQDN (after installing the certificate) you can use the following commands:

    • Instant / AOS10: show captive-portal-domains
    • Controller: show datapath fqdn

    In ClearPass the config will look like this

    The FQDN in the address field must match the FQDN of the AP / controller.

    Because the AP / controller is in the datapath the DNS interception works. It just simple monitors the DNS requests and if the DNS request is for (in this case) securelogin.hpe.com it will respond to the request and not forward it to the DNS server of the client.

    It's not possible to enable/disable or configure this feature. Changing the certificate will update the configuration.



    ------------------------------
    Willem Bargeman
    Systems Engineer Aruba
    ACEX #125
    ------------------------------

    Original Message


  • 5.  RE: Clearpass Guest Access-Address field confusion

    Posted Jul 16, 2025 10:59 AM

    thanks willem, it is clear now 


    Original Message


Related Content