Campus Switching and Routing

Reply
Contributor I
Posts: 29
Registered: ‎04-02-2017

Aruba 3810M Wired Guest

[ Edited ]

Hi Folks. I am trying to do wired guest with ClearPass and Aruba 3810M access switches.  I have two services on CPPM to accomplish this:

1. First service is Allow All MAC AUTH. If EndPoint is Unknown, it returns dynamic ACL along hpe-captive-portal-url attribute to the switch. If endpoint is know, an unrestricted profile is sent to the switch.

2. Second service is Web-auth to authenticate the captive portal user.

 

Everything seems to be working as aticipated. If an unknown endpoint comes on the network, I can see radius ACL assinged on the port (show access-list radius port id) and captive portal URL receied by the switch (show port-access clients detailed). Somehow, client is not being automatically redirected to the captive portal page. End to end flow works fine if I manually type the registration page URL and register/login.

 

I do have L3 interface on guest VLAN creatd on the switch. Running out of options to troubleshoot this issue further. Any help would be appreciated.

 

I also have a TAC case opened, but havent progressed bit in last 4 days unfortunately.

JayBee
ACDX | CCIE (RnS/SP,DC) | ACCP | ACMP | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Aruba 3810M Wired Guest

What version of ArubaOS-Switch?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 29
Registered: ‎04-02-2017

Re: Aruba 3810M Wired Guest

Was running on 16.03.0003 & yesterday upgraded to 16.03.0004. both have similar behavior.

JayBee
ACDX | CCIE (RnS/SP,DC) | ACCP | ACMP | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Aruba 3810M Wired Guest

Please post screenshots of your enforcement profile(s).


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 29
Registered: ‎04-02-2017

Re: Aruba 3810M Wired Guest

Hi Tim,

 

Please find below:

 

1.PNG

 

2.PNG

 

3.PNG

 

4.PNG

 

5.PNG

 

Also, I can vertify correct attributes sent back to the switch:

5a.PNG

 

6.PNG

 

7.PNG

 

And the switch config is pretty simple:

l3swaccstack# sh ip  | inc 153
  Wi-Fi_Guest04        | Manual     172.25.153.200  255.255.255.0    No    No
l3swaccstack#

==================================================

radius-server host 172.25.16.4 key "xxxx"
radius-server host 172.25.16.4 dyn-authorization
radius-server host 172.25.16.4 time-window 0

aaa authentication port-access chap-radius
aaa port-access mac-based 1/48

aaa authentication captive-portal enable

 

where 172.25.16.4 is CPPM VIP.

JayBee
ACDX | CCIE (RnS/SP,DC) | ACCP | ACMP | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Contributor I
Posts: 29
Registered: ‎04-02-2017

Re: Aruba 3810M Wired Guest

Hi Tim,

 

For some reason I am unable to add the screenshots inline. I have atttached them.

 

The switch config is pretty simple:

radius-server host 172.25.16.4 key "xxxxx"
radius-server host 172.25.16.4 dyn-authorization
radius-server host 172.25.16.4 time-window 0

aaa authentication port-access chap-radius
aaa port-access mac-based 1/48

aaa authentication captive-portal enable

 

l3swaccstack#
l3swaccstack# sh ip  | inc 153
  Wi-Fi_Guest04        | Manual     172.25.153.200  255.255.255.0    No    No
l3swaccstack#

 

where 172.25.16.4 is CPPM VIP.

JayBee
ACDX | CCIE (RnS/SP,DC) | ACCP | ACMP | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Guru Elite
Posts: 8,639
Registered: ‎09-08-2010

Re: Aruba 3810M Wired Guest

You need the following two entries to trigger the redirect:

Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 80 cpy
Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 443 cpy

Also, you may want to consider using user-roles instead. Much easier.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 29
Registered: ‎04-02-2017

Re: Aruba 3810M Wired Guest

Hi Tim,

 

Thanks. I am out of site for couple of days. Will check and update you.

JayBee
ACDX | CCIE (RnS/SP,DC) | ACCP | ACMP | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Contributor I
Posts: 29
Registered: ‎04-02-2017

Re: Aruba 3810M Wired Guest

Hi Tim. Adding these statements made it work. Thanks..


#AirheadsMobile
JayBee
ACDX | CCIE (RnS/SP,DC) | ACCP | ACMP | ACMA | JNCIS | JNCIA
If the provided solution resolves your issue, please mark it as accepted solution to help others.
Search Airheads
Showing results for 
Search instead for 
Did you mean: