Adding this bit here so that I’ll have it for future reference considering it is one of those features that doesn’t seem to be documented very well. Information originally found on the Airheads Community website and all credits to AnandKumar Sukumar. Mention of the default behavior was added to the ArubaOS 6.4 documentation
This relates specifically to the use of captive portals for authentication on an Aruba Networks wireless network. When using a wildcard certificate the behavior isn’t as configurable as you might expect.
An Aruba mobility controller ships with a default SSL certificate with the Comman Name(CN): securelogin.arubanetworks.com. The behavior of the controller is to adopt the name defined in the CN of the certificate as its virtual name. This means that any time a wireless client connected to the captive portal ssid, it attempts to resolve the name securelogin.arubanetworks.com, the controller will always return its switch IP by default.
When using a 3rd party wildcard SSL certificate is used for captive portal, the CN on that certificate will be used to redirect to the captive portal page. For example, if the SSL certificate has the CN: wifi.example.com, then wifi.example.com will always resolve to the switch IP of the controller.
For the captive-portal redirection, the certificate mapped for captive portal should have FQDN as the CN in the cerificate. In case of wildcard cerificate, an asterisk is used to signify that any host name can be used with that certificate. When a wildcard SSL certificate is installed on the mobility controller for captive portal, it replaces the asterisk with the host name “captiveportal-login”. In our example, the virtual name will be “captiveportal-login.example.com”.
So, the controller has magic config that always defaults to “captiveportal-login.domain.suf” based on what is configured in the wildcard certificate.
And just by the by, Aruba Instant doesn’t support the use of a wildcard cerfificate on the VC for captive portal logins. You’ll need to create a non-wildcard certificate for the Instant setup and whatever is used for the CN is what Instant will utilize for redirect/ClearPass authentication. The “Captive Portal” certificate is also used for the web interface so you will want to set Subject Alternative Names (SAN) if you want to separate the domain names between captive portal and administration.
Edit 2018-06-27: As of Instant AP software version 6.5.0.0 – 4.3.0.0 the wildcard certificate is supported for captive portal usage and will respond with the host name of captiveportal-login.