Controllerless Networks

Hi there, my intention is to run a few IAP’s together and let them use a ClearPass device to do external captive portal for ease of use and additional account management functionality (I’ll get to the “onboarding” later). I seem to have come unstuck for some reason and thus my post is as follows.

So. I configure the IAP to have guest portal, external URL’s and point the radius (which I have configured) at the ClearPass device.

As a test, I’ve connected the IAP 105 and the ClearPass on the same subnet, no VLANS. I have a small Debian machine running dnsmasq, so that I can have a DHCP and DNS server available.

This subnet is 172.16.99.0/24 and addresses are as follows:

Gateway Address 172.16.99.4 ( Debian machine)

DNS Server Address 172.16.99.4 ( Debian machine)

ClearPass STATIC, 172.16.99.5

IAP-Virtual Controller STATIC, 172.16.99.1

IAP-Master Controller STATIC, 172.16.99.115

Guests and other users  DHCP, 172.16.99.10-254

First of all, versions:

IAP105 - 6.1.3.1-3.0.0.1_33617 – current and does not find any updates on the internet.

ClearPass device:  VM with all the latest patches, and yes, licensed ;)

Physical connectivity:

The IAP is hardwired to the VM machine via a gigabit port.

The other interface connects to my network so that I can manage the ESXi Server. This port also has the “firewall” portion of the Debian server on it which connects to the internet.

IAP Configuration:

The IAP has two ip’s as above and can readily be administered from the ADMIN SSID.

I have 2 SSID’s on the IAP:

 ADMIN - (pre-shared key)  and I can browse the internet when associated to it, being given my IP address , DNS server and gateway correctly from the dnsmasq on the Debian server. I then use this ADMIN SSID to manage the system.

Guest AP Portal – guest mode , external captive portal. No VLANS, default connectivity to the network, matching the config from the ADMIN SSID. Devices on the SSID get DHCP , DNS and gateway delivered information.

ClearPass Configuration:

LAN interface configured as 172.16.99.5 and the MGMT interface configured with DHCP on my management network. I can get to the ClearPass on both the MGMT and LAN interfaces.

I have created an Radius NAS entry for the 172.16.99.115 address and set up the credentials etc

I have created a web login for the address 172.16.99.115 and called it guest_portal . This is referenced as guest_portal.php, the URL for the IAP’s external portal config.

The networking interfaces show that all is ok and that there are no errors.. ( that it knows of ;) )

I create a user on the ClearPass to have a login that is current, in time and correct role.

Observations:

From the ADMIN SSID, on the same subnet I can get to the url: http://172.16.99.5/guest_portal.php

It provides me with the login page. A mobile device that joins the network however cannot get to the login page.

On an iPhone, if one makes an attempt to browse the internet before logging in, it takes a while after you have submitted the web url before it redirects to the captive portal page but never gets there.

If I change the Guest SSID to have an internal captive portal but use the radius server then I can browse. Thus I assume my Radius part of the config is ok.

Has anyone done this kind of deployment before with the ClearPass?

Pictures of my configs attached.

Use "/ " in the URL section of IAP config. i.e. in image 3 that you have attached use /guest_portal.php instead of guest_portal.php

On Amigopod select the secure login as "send clear text password over HTTP"

If HTTPS is required, keep the port as 80 in the port config section of IAP (if you use 443 you will get a tiny proxy error) but go to amigopod and make the change as shown in the the image below

Regards,

Sathya

Thanks. that worked like a charm as teh portal page now comes up.

However, where do i set the text string on the Clearpass that tells the IAP that the authentication has been successful ?

Just give a random text on the IAP for the authentication text field. For RADIUS based captive portals such as cleapass this is not required. However, IAP doesn't allow you to have this field empty so just input any dummy text on IAP. No config is required for this on clearpass.

Regards

Sathya

ok, i have it working nicely now.

no random text required ( just left it blank)'

In the advanced settings of the IAP, enable "proxy radius" , the rest falls into place.

Can I use an URL config with folders in the path? For example: /folder/page

Thx!

Sorry for thread reviival. I have exactly the same problem, I cannot get HTTPS to work.

I have ClearPass 6.0.2.46902  and IAP-105 with latest code (6.2.0.0)

I can't find Network Access Login > "Require HTTPS for Guest access" anywhere in the GUI on ClearPass. Can you point me in the right direction?

Also when I do register, provision the account with a sponsor, and log on using HTTP (with Iphone 4S with IOS 6.1) I get "Network login in progress" then it redirects me to securelogin.arubanetworks.com/cgi-bin/login where I get a blank page.

If I open a new tab I go back to the registration page..... help :)

Cheers

Chris

OK I got everything working with HTTP. Now I want HTTPS

If I select "Require HTTPS for guest access" under Configuration > Authentication on ClearPass I got a message on my iphone

"Safari cannot open the page because it could establish a secure connection to the server"

The IAP is set up to redirect to ClearPass using Port 80 with login page "/guest/register.php"

Anyone?

Cheers

Chris

Iap actually doesn't support https external captive portal so you've to poin and permit with firewall rules both http and https captive portal and tell amigopod to force https.

this technically works but  with firefox  users get security warning that doesn't sound good like ""Although this page is encrypted, this information you have entered is to be sent over an unencrypted connection and could easily be read by a third party. Are you sure you want to continue sending this information?""

i open a ticket for that