Thanks... I heard many questions around this topic over the years, and if you are familiar with the topic it's quite clear, but sometimes we forget that not everyone is familiar. Think that accounts for many of the videos in this series. Good to hear this helped you.
Herman, I’ve been doing server initiated login for wireless on both controller and instant for years. Works like a charm and no cert needed on that wlc. Role is changed using filter-id in coa, delay redirect for 6 sec, and it’s flawless for the user. The port bounce on the other hand often cause the cached role to be sent instead due to some weird lag, delay whatever in Clearpass where the endpoint db isnt updated fast enough or something. Server-initiated is a requirement for several other brand wlc which doesnt support the controller-initiated methods, and this «bug» often cause headaches.
Hi Herman, great content. For "server initiated", is there no need for a public certificate on the NAS? I learn from an Aruba Switch OS course that it is needed because of the first redirection to the captive portal, if not this can cause security error messages on the endpoint.
Hi Herman, i've followed the guide and i did all the configuration, but now I've a problem with mobile phone. After 24h the first authentication on CP(Life time of the guest account setted) they cannot authenticate again and the redirection on Self Registration Portal doesn't work. How can i fix it?
Hi Sir, thank you for this explanation, and I have a question about the public certificate, it's working when the guest user connects to the SSID or after his login to the page like you mentioned in this tuto ?
The public certificate is needed for the captive portal and the login (with controller inititated logins). The (ClearPass) captive portal needs to be secure, and the posting of credentials to the controller/IAP must be secure as well. For Server initiated, you will need the ClearPass to have a public trusted certificate only as there is no interaction from the client with the switch. After the login, there is no communication anymore with the ClearPass or controller/IAP, and traffic will go directly to the internet.
Excellent Herman, I was looking for this content earlier. You made life easy for many Aruba users . Hats off you..
Thanks... I heard many questions around this topic over the years, and if you are familiar with the topic it's quite clear, but sometimes we forget that not everyone is familiar. Think that accounts for many of the videos in this series. Good to hear this helped you.
Herman, I’ve been doing server initiated login for wireless on both controller and instant for years. Works like a charm and no cert needed on that wlc. Role is changed using filter-id in coa, delay redirect for 6 sec, and it’s flawless for the user. The port bounce on the other hand often cause the cached role to be sent instead due to some weird lag, delay whatever in Clearpass where the endpoint db isnt updated fast enough or something. Server-initiated is a requirement for several other brand wlc which doesnt support the controller-initiated methods, and this «bug» often cause headaches.
Thank you! This really clears things up.
Hi Herman, great content.
For "server initiated", is there no need for a public certificate on the NAS? I learn from an Aruba Switch OS course that it is needed because of the first redirection to the captive portal, if not this can cause security error messages on the endpoint.
Hi Herman, i've followed the guide and i did all the configuration, but now I've a problem with mobile phone. After 24h the first authentication on CP(Life time of the guest account setted) they cannot authenticate again and the redirection on Self Registration Portal doesn't work. How can i fix it?
Hi Sir, thank you for this explanation, and I have a question about the public certificate, it's working when the guest user connects to the SSID or after his login to the page like you mentioned in this tuto ?
The public certificate is needed for the captive portal and the login (with controller inititated logins). The (ClearPass) captive portal needs to be secure, and the posting of credentials to the controller/IAP must be secure as well. For Server initiated, you will need the ClearPass to have a public trusted certificate only as there is no interaction from the client with the switch. After the login, there is no communication anymore with the ClearPass or controller/IAP, and traffic will go directly to the internet.