AAA, NAC, Guest Access & BYOD

I have integrated Aruba Controller with CPPM to do Captive Portal Authentication for Guest Network. However the Guest clients do not hit the External Captive Portal page.

Aruba Employee

There may be multiple reasons for the failure. 

1: Incorrect Captive portal page mapped on the controller.
2: Incorrect ACL's defined on the controller.

3: No inter vlan routing enabled in between the guest network and CPPM.

 

1: Incorrect Captive portal page mapped on the controller.

On Clearpass Guest :


Navigate to  Home » Configuration » Web Logins and verify the login page.

 

 

rtaImage (2).png

Click on "Test"and check the URL and view of the page.

Copy the URL of the page and compare it with the controller.

 

rtaImage (3).png

 

 

Navigate to "Security > Authentication > L3 Authentication"on the controller and verify that the same URL is mapped to our Captibe portal profile which we are using.

 

rtaImage (4).png

2: Incorrect ACL's defined on the controller.

We will have to check the ACL's defined for the Preauth Role.

Say, if my preauth role is "Guest", we can run the below CLI command


 #show running-config and check the ACL''s mapped to this Role.

and verify that we have HTTP and HTTPS connectivity to the CPPM server.

ip access-list session captiveportal
  user   alias CPPM svc-https  permit      - missing will cause this error
  user   alias CPPM svc-http  permit
  user   alias controller svc-https  dst-nat 8081
  user any svc-http  dst-nat 8080
  user any svc-https  dst-nat 8081
  user any svc-http-proxy1  dst-nat 8088
  user any svc-http-proxy2  dst-nat 8088
  user any svc-http-proxy3  dst-nat 8088



Where CPPM is an alias for the CPPM server and could be added as below.
 

(NS-Aruba-3200)# configure terminal
(NS-Aruba-3200) (config) #netdestination CPPM
NS-Aruba-3200) (config-dest) #host 10.10.10.10
NS-Aruba-3200) (config-dest) #end
NS-Aruba-3200) #
 write memory
 
3: No inter vlan routing enabled in between the guest network and CPPM.

Make sure that we have enabled inter Vlan routing. For instance , say that the CPPM, Controller and AP are on Management Vlan ( Vlan 1) while the guest clients gets and ip from Vlan 10. 
 
Ensure that the VLAN interface for the Guest network on the controller has an IP address assigned to it, otherwise the HTTP TCP SYN&ACK will take an asynchronous routing path which will not work.
Version history
Revision #:
1 of 1
Last update:
‎07-16-2014 12:59 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: