Security

Reply
Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Basic Clearpass deployment question

How do I send a successful authentiction (specfically a vsa) from the new version of cppm (guest)?

 

I am finding the integration between the two products confusing, due to my lack of familairity

 

I have used a template and I have got the captive portal set up and get the splash page and authenticate, but in accesstracker I see no output from the authentiction attempt, except an enforcement profile (which is positive), also a little concerned the controller's nas id is not in the packet, so if it sends back a vsa I guess the role change may not go into effect.

 

has anyone come across similair situation?

 

thanks

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Basic Clearpass deployment question

Basically I am bit getting the role change on the controller after successful webauth on the captive portal
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Basic Clearpass deployment question

Nik,

 

Are you using a username and password that is already defined?  The controller has a Default Role in the L3> Captive Portal Authentication Profile that users will get if no VSA is sent back.  Are you saying that you are not happy with that role and you want to change it, or do you want to send back a different role for a different class of users?  A simple positive authentication will have users placed into the role in the Captive Portal Authentication Profile..  Do you want to define a different role to be sent back via VSA?

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Basic Clearpass deployment question

That would be perfect. But where do I define the nas? In the old amigo pod you defined these manually. There are no options like this anymore. I also have multiple controllers that may need this authentication accept message.
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Basic Clearpass deployment question

You define the NAS in ClearPass under Configuration> Network > Devices.  As long as you have it defined there, you do not have to specify the NAS in the service...  ClearPass will process an incoming authentication request from any device in the Network Devices list.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Basic Clearpass deployment question

Great OK I will check my config work there and I guess if I need a specific vsa I can just customise the enforcement profile?
Guru Elite
Posts: 20,820
Registered: ‎03-29-2007

Re: Basic Clearpass deployment question

Yes. You just add add an Aruba-User-Role vsa to your enforcement profile.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Basic Clearpass deployment question

Great stuff thanks again for your help
Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Basic Clearpass deployment question

Right, what is happening is I am not getting any entries on the access tracker.

 

When I put a proper password in the captive portal on my windows machine it hangs and goes to a http 404 and on my linux test machine i get a access denied in the redirected url

 

any ideas?

Regular Contributor I
Posts: 170
Registered: ‎03-18-2013

Re: Basic Clearpass deployment question

I get precisely the same error if I login successfully to the login page during the page testing

 

I reckon it looks like the controller is not passing it's IP address to the weblogin

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: