Aruba & ProVision-based

HP 5412zl: port-access with web authentication works but web authentication with ssl-login does not

 
HEKnet
Advisor

HP 5412zl: port-access with web authentication works but web authentication with ssl-login does not

Hello,

before I desribe the problem, here the config:

hostname "hekswitch1"
ip dns domain-name "hek.uni-karlsruhe.de"

aaa authentication web-based peap-mschapv2

aaa port-access web-based dhcp-addr 192.168.19.0 255.255.255.0
aaa port-access web-based dhcp-lease 5
aaa port-access web-based ewa-server "hekauth.hek.uni-karlsruhe.de" "/ewa/"

interface B24
   untagged vlan 1
   port-security learn-mode port-access
   aaa port-access web-based
   aaa port-access web-based client-limit 16
   aaa port-access web-based redirect-url "http://www.google.de/"
   exit

 Further, I installed a valid CA-signed X.509 certificate for CN="hekswitch1.hek.uni-karlsruhe.de" via the WebAgent.

 

The above config works, but problems start, if I use

aaa port-access web-based b24 ssl-login

 1) If one opens a browser on the client, the switch redirects to "https://192.168.19.1/" (its IP), instead of "https://hekswitch1.hek.uni-karlsruhe.de/". As a result, the certificate is considered invalid and the browser presents an error.  That's the first annoying problem.

 

If one ignores the browser warning, the browser shows the "SSL redirect" page. Actually I would expect that this page is presented without SSL. This way problem1) would be solved.

 

The "SSL redirect" page redirects to "https://hekswitch1.hek.uni-karlsruhe.de/ewa/index.html". OK, here we have the FQDN instead of an IP.

 

2) But again the browser shows a certificate error. This time the certificate chain cannot be validated. The problem is that my certificate is signed by an intermediate CA. Normally, it would be the responsibility of the web server (i.e. switch) to deliver the whole chain up to a point where the client browser knows a valid root certificate. Obviously, the problem stems from the certificate installation. The Web Agent only accepts one PEM-encoded certificate and does not know the intermediate certificates. There was no way to install a PKCS#12 file or something similar. This is the second problem.

 

Now, lets assume one ignores the certificate error a second time or one installs the intermediate certificate as a root CA for testing purpose such that the browser is satisfied.

 

3) The client cannot resolve the DNS name "https://hekswitch1.hek.uni-karlsruhe.de/ewa/index.html", where it is redirected to. Of course not, because the client is not authenticated yet. Hence, the browser jumps back to the "SSL redirect" page and ends in an infinite loop. That's the third problem.

 

Obviously I did something very, very wrong in my switch configuration, because I did not find any of these problems by searching the forums. Hence, either I am terrible stupid or nobody else uses "ssl-login".

 

Yours, Matthias