10-24-2019 03:05 PM
i am trying to generate an SSL cert for our NAC captive portal. I am running a windows certificate authority on our windows server 2012 server. I tried to follow the steps in this link https://extremeportal.force.com/ExtrArticleDetail?an=000078322
and then i did the submit certificate request on my server 2012 ca web enrollment. But i keep getting a certificate invalid message on the portal after i imported it into the NAC manager.
When using the Windows CA, what certificate template should i be usung? web server?
thanks
10-28-2019 03:46 PM
so i got this working now by using the external hostname and dns re-direct. The captive portal is coming up on apple IOS, chromebooks and windows laptops. I only tried on one Android phone so far and its not redirecting to the portal login page but its redirecting to google.com instead. Has anyone heard of this before with android?
10-28-2019 01:15 PM
Thanks for the reply Ryan. I had already done that but this wont work because so many of our devices are not windows devices and not on our domain that i have no way for them to trust it automatically. I am going to have to try a public CA and do some internal DNS switching so it thinks my NAC appliance is on an external hostname.
10-26-2019 05:41 PM
Hello,
Take the CSR that was generated and go to the certsrv website for your CA:
From here choose the “Advanced” option, and paste in the text from the CSR file. Websever template is acceptable.
When you go install in the NAC make sure you have the private key, generated certificate and check the box that the private key is password protected and supply the password.
One thing to note here though is that if you have your internal CA sign the captive portal certificate only machines that have your CA’s root certificate installed will not see certificate errors. Everyone else will still encounter “invalid CA” errors when going to the captive portal.
If you want the captive portal certificate to be seen as valid by everyone then a certificate from a trusted commercial authority would need to be generated.
Thanks
-Ryan
