Security

Reply
Occasional Contributor II
Posts: 20
Registered: ‎04-09-2015

Aruba controller not redirecting to CPPM

i just replaced a 3600 Controller with a 7030 becaue I needed to add more APs than the 3600 would support.

I have everything else up and running, but for some reason I can't get the controller to redirect to my CPPM server for guest authentication.  I changed the Login Page on the under the CP profile to the Weblogin configured on the CPPM, but whenever I test the Captive Portal, even from the controller, it tries to go here:

https://10.254.254.236/cgi-bin/login?profile=Clearpass-Versatile-Guest

 

rather than here:

https://clearpass.versacomm.com/guest/Versatile_Guest_Network.php?

 

which is where it is supposed to go.

 

10.254.254.236 is the controller's IP address and Clearpass-Versatile-Guest is the name of the CP profile on the controller.  The Clearpass is at 192.168.10.145 and it still works from the old 3600.  I have to be missing something simple, but I can't for the life of me figure out what it is.

 

Guru Elite
Posts: 8,011
Registered: ‎09-08-2010

Re: Aruba controller not redirecting to CPPM

Is the captive portal profile selected in your guest logon role? 

Sent from Nine

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 4,086
Registered: ‎07-20-2011

Re: Aruba controller not redirecting to CPPM

Can you share the ACLs under CAPTIVE-PORTAL-ROLE (INITIAL ROLE)
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 20
Registered: ‎04-09-2015

Re: Aruba controller not redirecting to CPPM

Here are the initial Role and the ACLs associated:

 

user-role ClearPass-Guest-Login
 captive-portal "Clearpass-Versatile-Guest"
 dpi disable
 web-cc disable
 access-list session global-sacl
 access-list session apprf-ClearPass-Guest-Login-sacl
 access-list session Clearpass-Guest-Weblogin
 access-list session logon-control
 access-list session captiveportal

 
ip access-list session captiveportal
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4


ip access-list session logon-control
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4

ip access-list session Clearpass-Guest-Weblogin
Clearpass-Guest-Weblogin
------------------------
Priority  Source  Destination       Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------       -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    ClearPass_Server  svc-http                permit                           Low                                                           4
2         user    ClearPass_Server  svc-https               permit                           Low                                                           4

 

Occasional Contributor II
Posts: 20
Registered: ‎04-09-2015

Re: Aruba controller not redirecting to CPPM

The 2 addtional ACLs at the top (global-sacl and the AppRF acl_ have no rules inthe them but I get an error when I try to delete them from the role.

MVP
Posts: 4,086
Registered: ‎07-20-2011

Re: Aruba controller not redirecting to CPPM

- Make sure that if you are using ClearPass VIP in your Guest URL that IP address is included in your ClearPass_Server netdestination

- Also verify that the https://clearpass.versacomm.com/guest/Versatile_Guest_Network.php URL is configured as your Login Page

- From the Guest network can you reach the clearpass.versacomm.com ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
MVP
Posts: 4,086
Registered: ‎07-20-2011

Re: Aruba controller not redirecting to CPPM

You can't delete those .

Those are use for AppRF rules
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 20
Registered: ‎04-09-2015

Re: Aruba controller not redirecting to CPPM

I checked and the the netdestination is set to 192.168.10.145 which is the Clearpass server and the URL is correct.

When I connected to the guest network, I can ping the controller but I cannot ping the clearpass server by either name or IP.

MVP
Posts: 4,086
Registered: ‎07-20-2011

Re: Aruba controller not redirecting to CPPM

Do you have an IP address assigned to the Guest VLAN in the controller ?

How do you have your guest network configured?

- Routable in your internal network

- Only internal to your controller

- Or going through your DMZ
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 20
Registered: ‎04-09-2015

Re: Aruba controller not redirecting to CPPM

The Guest network VLAN does have an address on it, but it's not associated to a physical port or port channel on the controller.

Search Airheads
Showing results for 
Search instead for 
Did you mean: