Good question, though I didn't want to make a PEM video ;) The root CA should NOT be part of the chained PEM file. It doesn't hurt, but is not needed as the root is already in your browser or device, and if it isn't the certificate is not trusted anyway, but if you add it, it will be sent with each SSL negotiation, which is needless traffic. For that reasons: leave the root CA out of your chained certificate. Then for the order, I see the private key mostly either first or last in the PEM file, not between the certificate itself and the intermediates... and then the order of the certificates is: server cert itself, intermediate that issued the server cert (first towards the root), then if there are other intermediates in the similar order (from closest the the server cert, to closest to the root) and the root itself is excluded/left out. Here is a nice blog entry that shows it graphically and includes the openssl commands needed: community.arubanetworks.com/browse/articles/blogviewer?blogkey=719538b4-7db9-402f-a998-d80c91cf0cc9 Hope this helps?

@@hermanrobers Thanks. And just to give another option, the private key can go after the server cert. I've always uploaded it like that with no problem. Server Cert PrivateKey CA bundle

That is more an AIrheads question. I don't have one to check it, but you would need to upload the certificate to Airwave first (System - Certificates) and then should be able to assign it in your controller or Instant. If you can't find it, please ask support or on community.arubanetworks.com in the Network Management forum.

There may be an incorrect or invalid role returned in that case, or even a REJECT. I would check the role that is returned for users that are beyond the mac-caching or guest account lifetime) and verify that the role is configured and includes the redirect.

@@hermanrobers this happens only with moblie phone why? The CP role is "X" the default role on role mapping is [Other]. I should change other with X. Yes i have a reject log

@@user-qq2fs6hc9x if it happens on mobile phone only, there is a chance that the certificates used are not fully correct. Best to investigate further with your Aruba partner or Aruba SE as based on this limited information it's hard to address the exact issue.

HSTS is due to something redirecting HTTPS traffic (port 443). Looping back to the login page has probably to do with the login not happening properly, where it can be that the login is not sent, it does not arrive on ClearPass, ClearPass doesn't process it correctly or the AP/Switch/Controller doesn't handle the login/role switch correctly. The next video in the playlist (kzbin.info/www/bejne/romqdHyer7J4f6c) explains each and every step in the guest login process. Following that chart, then find out till where it works in your deployment and where it starts to fail, will probably bring you to the error in your configuration so you can fix it. The exact workflow differs a bit between Instant AP, Aruba controllers, switches, 3rd party equipment.

@@hermanrobers thank u very much for the answer

@@hermanrobers one question, as captive portal certificate i have a wild card. I should modify the CN with my cp domain?(captiveportal-login.....)