- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Aruba & ProVision-based
- >
- HP 5412zl: port-access with web authentication wor...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2013 11:58 AM
03-25-2013 11:58 AM
HP 5412zl: port-access with web authentication works but web authentication with ssl-login does not
Hello,
before I desribe the problem, here the config:
hostname "hekswitch1" ip dns domain-name "hek.uni-karlsruhe.de" aaa authentication web-based peap-mschapv2 aaa port-access web-based dhcp-addr 192.168.19.0 255.255.255.0 aaa port-access web-based dhcp-lease 5 aaa port-access web-based ewa-server "hekauth.hek.uni-karlsruhe.de" "/ewa/" interface B24 untagged vlan 1 port-security learn-mode port-access aaa port-access web-based aaa port-access web-based client-limit 16 aaa port-access web-based redirect-url "http://www.google.de/" exit
Further, I installed a valid CA-signed X.509 certificate for CN="hekswitch1.hek.uni-karlsruhe.de" via the WebAgent.
The above config works, but problems start, if I use
aaa port-access web-based b24 ssl-login
1) If one opens a browser on the client, the switch redirects to "https://192.168.19.1/" (its IP), instead of "https://hekswitch1.hek.uni-karlsruhe.de/". As a result, the certificate is considered invalid and the browser presents an error. That's the first annoying problem.
If one ignores the browser warning, the browser shows the "SSL redirect" page. Actually I would expect that this page is presented without SSL. This way problem1) would be solved.
The "SSL redirect" page redirects to "https://hekswitch1.hek.uni-karlsruhe.de/ewa/index.html". OK, here we have the FQDN instead of an IP.
2) But again the browser shows a certificate error. This time the certificate chain cannot be validated. The problem is that my certificate is signed by an intermediate CA. Normally, it would be the responsibility of the web server (i.e. switch) to deliver the whole chain up to a point where the client browser knows a valid root certificate. Obviously, the problem stems from the certificate installation. The Web Agent only accepts one PEM-encoded certificate and does not know the intermediate certificates. There was no way to install a PKCS#12 file or something similar. This is the second problem.
Now, lets assume one ignores the certificate error a second time or one installs the intermediate certificate as a root CA for testing purpose such that the browser is satisfied.
3) The client cannot resolve the DNS name "https://hekswitch1.hek.uni-karlsruhe.de/ewa/index.html", where it is redirected to. Of course not, because the client is not authenticated yet. Hence, the browser jumps back to the "SSL redirect" page and ends in an infinite loop. That's the third problem.
Obviously I did something very, very wrong in my switch configuration, because I did not find any of these problems by searching the forums. Hence, either I am terrible stupid or nobody else uses "ssl-login".
Yours, Matthias