Security

Hey there! It sounds like you're running into a common challenge when setting up self-registration with ClearPass and Aerohive WiFi, especially with certificate trust issues. Let's break this down and figure out a solution.

The core problem seems to be that the default NAS address (1.1.1.1) doesn't align with your wildcard certificate's domain, and the self-signed certificate with CN "HiveManager" isn't trusted by clients. Since you've uploaded a wildcard certificate to HiveManager, you're on the right track, but the IP address 1.1.1.1 won't work because wildcard certificates (like *.yourdomain.com) are only valid for domain names, not raw IPs. Browsers and clients will throw an "untrusted" error if the address they're hitting doesn't match the certificate's domain.

Here's what you can do to get this working:

1. Use a Fully Qualified Domain Name (FQDN) Instead of an IP:
   Since you have a wildcard certificate (e.g., *.yourdomain.com), you need to configure the NAS address in ClearPass to point to a resolvable FQDN that matches the wildcard domain. For example, if your wildcard cert is for *.yourdomain.com, you could use something like "clearpass.yourdomain.com" or "wifi.yourdomain.com". This FQDN should resolve to the actual IP address of your HiveManager or the Aerohive AP handling the captive portal.

2. Update DNS:
   Set up a DNS record in your domain's DNS server so that the chosen FQDN (e.g., clearpass.yourdomain.com) resolves to the internal or external IP of your HiveManager or the Aerohive device. If this is an internal network, you can use your internal DNS server. For guest WiFi scenarios, you might need a public DNS record if the traffic is routed externally.

3. Configure Aerohive and ClearPass:

   • In Aerohive HiveManager, ensure the wildcard certificate is properly applied to the captive portal or RADIUS service that ClearPass will interact with. Check the network policy or SSID settings where the captive portal is defined and confirm the certificate is selected.

   • In ClearPass, go to the vendor settings for Aerohive (likely under Configuration > Network > Devices or the Guest self-registration portal settings) and replace the 1.1.1.1 NAS address with your chosen FQDN (e.g., clearpass.yourdomain.com). This tells ClearPass to redirect clients to a name that matches your wildcard cert.

4. Test Connectivity:
   Once the FQDN resolves correctly and the certificate matches, connect a test device to the Aerohive WiFi SSID. The captive portal should load without certificate errors, assuming the wildcard cert is issued by a trusted CA (like DigiCert,Sectigo, etc.) and properly installed.

5. Troubleshooting Tips:

   • If you still get an untrusted cert error, double-check that the wildcard certificate's chain (intermediate and root CA certificates) is fully uploaded to HiveManager. Sometimes, missing intermediates cause trust issues.

   • Verify that the Aerohive AP or HiveManager is presenting the wildcard cert, not the default self-signed one. You can do this by browsing to the FQDN from a test device and inspecting the certificate details.

   • If the FQDN doesn't resolve, ensure your DNS settings are correct and that clients on the guest network can reach the DNS server.

As for whether anyone's got this working-yes, this setup is totally doable! Many folks using Aerohive with ClearPass for guest self-registration have tackled similar certificate challenges by aligning the NAS address with a proper domain name tied to a trusted certificate. The key is making sure the FQDN, DNS, and certificate all play nicely together.

What's your wildcard certificate's domain (e.g., *.yourdomain.com)? And are you running HiveManager on-prem or in the cloud? That might help narrow down the exact steps a bit more. Let me know how it goes or if you hit any snags!