Campus Switching and Routing

Reply
MVP
Posts: 371
Registered: ‎01-14-2010

MAS 7.3 not redirecting to Clearpass Guest

All,

 

I'm working through a configuration in my lab with a MAS S3500 running 7.3.2.2 and Clearpass. I'm trying to put together one of those configs that has everything working - it makes it easier to copy and paste when I'm with a customer. I should have gotten around to this a while ago, but better late than never!

 

I have been able to get 802.1x, Mac auth, and 802.1x + Mac auth working without too much of an issue. The problem that I'm running into really seems basic, but I'm currently at a loss. 

 

The problem occurs when I attempt I'm placed in the captive portal role and I attempt to go to the Clearpass Guest page. I've tried it on three different browers and they all hang. I can manually enter the URL from the login page and it works without issue, exactly what I expect. It "feels" like the problem on the ArubaOS side when you don't have an ACL specifically for Clearpass in your Captive Portal role. On the MAS side, you'll see below that there is a netdestination that allows traffic to my CPPM server.

 

I have the following user role in the MAS config:

 

user-role ToP-CPPM-Guest-CP
   vlan 18
   captive-portal "ToP-CPPM-Portal"
!

 

Here's the captive portal config:

 

aaa authentication captive-portal "ToP-CPPM-Portal"
   default-role "authenticated"
   server-group "Clearpass"
   protocol-http
   login-page "http://192.168.102.253/guest/guest_register_login.php"
!

 

Here's the AAA config:

 

aaa profile "ToP-Guest-AAA-Profile"
   initial-role "ToP-CPPM-Guest-CP"
   authentication-mac "ToP-Mac-Auth"
   mac-default-role "authenticated"
   mac-server-group "Clearpass"
   radius-accounting "Clearpass"
   radius-interim-accounting
   enforce-dhcp
!

 

Here's the port configuration:

 

!
interface gigabitethernet "0/0/38"
   mstp-profile "ToP-BPDU-Guard"
   lldp-profile "lldp-factory-initial"
   poe-profile "poe-factory-initial"
   aaa-profile "ToP-Guest-AAA-Profile"
   description "Captive Portal with Caching port"
   switching-profile "ToP-Access"
   no trusted port
!

 

When I connect to port gig0/0/38, there's a MAC Auth / Caching error in Access Tracker, as expected, and then I'm placed in the correct role in the user-table:

 

192.168.18.10  40:6c:8f:36:de:44  40:6c:8f:36:de:44  ToP-CPPM-Guest-CP  00:00:15    No    Wired       0/0/38     ToP-Guest-AAA-Profile  18 (18)

 

A view of the station table show the following:

 

(ToP-S3500) #show station-table mac 40:6c:8f:36:de:44

Association Table
-----------------
BSSID IP Essid AP name Phy Age
--------------- ----------- ------- ------- --- ---
01:80:c2:00:00:03 0.0.0.0 N/A - b 00:00:16

 

A show rights on the role shows the correct settings:

 

(ToP-S3500) #show rights ToP-CPPM-Guest-CP

Derived Role = 'ToP-CPPM-Guest-CP'

Assigned VLAN = 18
Periodic reauthentication: Disabled
ACL Number = 39/0/40
Captive Portal profile = ToP-CPPM-Portal
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 ToP-CPPM-Portal stateless
ToP-CPPM-Portal
---------------
Priority Source Destination Service Action TimeRange Log Expired QoS Policer Blacklist Mirror IPv4 Nexthop
-------- ------ ----------- ------- ------ --------- --- ------- --- ------- --------- ------ ---- -------
1 user ToP-CPPM-Portal-allow-ip svc-http permit 4
2 any any svc-http dst-nat 8080 4
3 any any svc-https dst-nat 8081 4
4 any any svc-dns permit 4
5 any any svc-dhcp permit 4
Expired Policies (due to time constraints) = 0

 

(ToP-S3500) # show netdestination ToP-CPPM-Portal-allow-ip

ToP-CPPM-Portal-allow-ip
------------------------
Position Type IP addr Mask-Len/Range
-------- ---- ------- --------------
1 host 192.168.102.253 32

 

I'm just at a loss on this one. I feel like there's some knob that I'm missing and I'm sure it's going to be a eureka moment when it's pointed out. 

 

Thanks for all of the help!

 

-Mike

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: MAS 7.3 not redirecting to Clearpass Guest

Does vlan 18 have a layer 3 interface on the switch?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 371
Registered: ‎01-14-2010

Re: MAS 7.3 not redirecting to Clearpass Guest

Hey Tim,

 

Nope, it's a L2 interface trunked down to the switch. I'm using it as a general purpose VLAN for all the user facing ports.

 

There are two VLANs, 18 and 172, that are trunked to the S3500. They run upstream to a Juniper SRX that holds the gateways for the 18 and 172 VLANs.

 

-Mike

Guru Elite
Posts: 8,637
Registered: ‎09-08-2010

Re: MAS 7.3 not redirecting to Clearpass Guest

You need to add an RVI for that VLAN on the stack in order for redirection to occur.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 371
Registered: ‎01-14-2010

Re: MAS 7.3 not redirecting to Clearpass Guest

Tim,

 

Thanks - that's the bonus of a fresh pair of eyes! It worked like a charm when I tried this morning.

 

-Mike

Search Airheads
Showing results for 
Search instead for 
Did you mean: