Wireless Access

 View Only

  • 1.  External Captive portal with Clearpass

    Posted Nov 15, 2025 12:05 PM

    Hello,

     I have Scenario The Aruba Gateway and APs of OS 10 will be integrated with the Clearpass Captive Portal, and I will use a Public signed Certificate from Aruba Central (CN = Securelogin.hpe.com) on the Aruba Gateway and APs.

    First Question : i will need another Public Certificate for Clearpass or not  

    Second Question : APs and Gateways required communications with Clearpass (SSID with Tunneled mode) or Gateways only.



    -------------------------------------------


  • 2.  RE: External Captive portal with Clearpass

    Posted Nov 16, 2025 10:26 PM

    1) Do I need another public certificate for ClearPass?

    Yes, you still need a separate public HTTPS certificate on ClearPass.

    The securelogin.hpe.com cert that Aruba Central installs on the Gateways/APs is the captive portal certificate used by the controller/gateway side (where the browser sends the login POST back).

    ClearPass, on the other hand, uses its own HTTPS server certificate for:

    • ClearPass Guest portal (the page the user actually sees),

    • admin UI,

    • APIs, etc.

    For Guest, Aruba recommends (and in practice requires) that this ClearPass HTTPS certificate is signed by a public CA and reachable via FQDN (for example, guest.yourdomain.com), so that unmanaged devices don't get certificate warnings.

    So:

    • Gateway/AP: public captive portal cert (e.g. securelogin.hpe.com)

    • ClearPass: separate public HTTPS cert with its own FQDN

    References:

    2) Do APs and Gateways both need to talk to ClearPass in tunneled SSID, or only Gateways?

    For an SSID in tunneled mode with AOS 10 Gateways:

    • The AP just tunnels the client traffic to the Gateway.

    • The Gateway is the RADIUS NAS / proxy and is the device that talks to ClearPass:

      • RADIUS auth/accounting (UDP 1812/1813)

      • RADIUS CoA (UDP 3799)

    • The wireless clients in the pre-auth/guest role must be able to reach the ClearPass portal over HTTPS (TCP 443).

    • The APs themselves do not send RADIUS directly to ClearPass in this design.

    So in short:

    • RADIUS/CoA: Gateways ↔ ClearPass

    • HTTPS portal: Client ↔ ClearPass

    • APs: only need connectivity to the Gateways (and Central), not directly to ClearPass for captive portal/RADIUS in tunneled mode.

    References:

    -------------------------------------------



  • 3.  RE: External Captive portal with Clearpass

    Posted Nov 27, 2025 11:32 AM

    Cross posted here.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


Related Content