Security

Reply
Super Contributor II

Aruba Instant with CPPM as External Captive Portal Questions

Hi,

 

We are in the process of swapping all of our Dell branded Aruba gear for Aruba branded gear.

This time around we have decided to try out the IAPs and drop the controller (mainly due to cost).

 

I am currently working on the Guest portion and have a few questions/problems regarding it.

 

For the VLAN, I used the static assignment. Is this the right approach if my pre-auth and auth VLANs will be the same?

VLAN assignment static

When I connect to the SSID I am getting redirect properly and hitting the appropriate Captive Portal page. When I attempt to sign in though the page just keeps looping. When I was using the controller I set the Address field for the web login page on the CPPM to captiveportal-login.mydomain.com. I had a wildcard cert loaded on the controller so there was no cert error when the redirection happend. 

If I use captiveportal-login.mydomain.com with the IAP I receive a DNS error, and no cert error. I haven't loaded an new certs onto the IAP yet. On the preauth-guest role I have it configured just with HTTP and HTTPS access to the ClearPass itself as per a YouTube video I was following.

 Am I missing a configuration on the IAP itself or perhaps on the user role? 

 

captiveportal-login

 

Just to confirm, the IAPs don't have anything similar to "netdestination" like the controllers do, do they? Based on the CLI PDF it doesn't look like it, but I just wanted to confirm.

 

Sorry for all the dumb questions. I honestly didn't expect the IAPs to be that different from that of a controller based environment.

 

Any help would be greatly appreciated.

 

Cheers

Re: Aruba Instant with CPPM as External Captive Portal Questions

Hi Bourne,

 

For the VLAN, I used the static assignment. Is this the right approach if my pre-auth and auth VLANs will be the same?

 

Sure, it can be the same VLAN, the pre-auth role will take care of restricting all access prior to sucessful auth. Just make sure it only allows https to CPPM and DNS + DHCP then you're good

 

If you haven't loaded any cert on the IAP now, then you should enter securelogin.arubanetworks.com (since this is the CN of the factory cert) in the address field.

 

As for the netdestination, there is no such feature in instant as far as I know !

Hope this helps :)

 

 

 

ACMP, ACCP, BCNE
Super Contributor II

Re: Aruba Instant with CPPM as External Captive Portal Questions

Hi @OverClock,

 

Thank you for the reply.

 

Is there another method of providing the VLAN for the pre-auth role besides statically setting it? I believe I can use the role itself to assign the role.

Any suggestions on restricting Guest access post-auth? I guess there is no way to avoid just denying access to all of our internal networks?

 

Doh! Is a certiciate replacement a prerequisite for the captiveportal-login to work? If so I shouldn't have known that.

I did actually try using securelogin.arubanetworks.com, but still received an issue on the redirect. I will take a closer look tomorrow!

 

Thank you again for the reply!

Cheers

Re: Aruba Instant with CPPM as External Captive Portal Questions

Hi Bourne, you could easily have the pre-auth in a separate VLAN but the only concern here is that it's layer 3 authentication with a captive portal which means you would need to terminate client session after successful auth to allow it to re DHCP and get IP in new VLAN with new role once authenticated.

Most of the time you want to have 2 roles in same VLAN for guests :

pre-auth = really restricted with only required access to reach CPPM etc
post-auth = returned by CPPM to the IAP following succesful auth and gives full internet access (or whatever you decided)

Replacing certificate is surely a best practice but not a prerequisite. Are you perhaps trying to browse an HTTPS web page before getting redirected ? If so this is a normal HSTS behaviors on newer web browsers. Try browsing http://cnn.com and see what it does.

Cheers,

ACMP, ACCP, BCNE
Super Contributor II

Re: Aruba Instant with CPPM as External Captive Portal Questions

Hi @Overclock,

 

Thank you for your reply.

 

I managed to get it working now.

I found something strange though, during the Captive Portal Guest login there are two different RADIUS requests sent to the ClearPass.

 

One request is handled by the Publisher, while the other is handled by the Subscriber.

Each request is different in the information that is provided.

 

The first one that is handled by the Publisher seems to indiciate the request is Ethernet based as the NAS-Port-Type is 15.2017-07-25_11h24_32.png

 

The second request that is handled by the Subscriber indicates the request as a wireless request as the NAS-Port-Type is 19.

2017-07-25_11h25_45.png

 

I am just not sure why I would be seeing two different requests?

 

What are the requirements for the certificate for the Captive Portal Server? I am assuming this is the certificate that we want to replace? It wants a pem, cer, or crt. If my memory is correct, you cannot include the private key in these cert types. Does the cert require the cert bundle? And can this certiciate be a wildcard cert like it can be on the controller?

 

Cheers

Guru Elite

Re: Aruba Instant with CPPM as External Captive Portal Questions

The first one looks like it's a RADIUS-based preauth as the source address is localhost.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: Aruba Instant with CPPM as External Captive Portal Questions

The reason you see 2 RADIUS requests is probably because the web login page configuration has the pre-auth check set to RADIUS method. 

As for the certificate, yes it supports wildcard. There is multiple ways/procedures, the solution of this thread explains it well and straight to the point : 

http://community.arubanetworks.com/t5/Controllerless-Networks/IAP-205-wildcard-certificate-for-replace-securelogin/m-p/278998

 

ACMP, ACCP, BCNE
Super Contributor II

Re: Aruba Instant with CPPM as External Captive Portal Questions

Hi guys,

 

Thank you @Overclock and @cappalli.

It looks like you were correct about the pre-auth check on the web page.

2017-07-25_11h54_04.png

 

I honestly don't recall why I set this like this.

What is the benefit/drawback of doing this and not doing this?

 

And thank you for the link for changing the cert. That will help a lot!

 

Cheers

Super Contributor II

Re: Aruba Instant with CPPM as External Captive Portal Questions

Hi Guys,

 

Okay I found this post that explains why you would use pre-auth check.

 

I will create two rules now to handle this pre-auth check accordingly.

 

Cheers

Guru Elite

Re: Aruba Instant with CPPM as External Captive Portal Questions

Just to be clear, when you're only handling guest users, you do not need an "external" pre-auth check. Just use Local.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: