Security

Hello,

 

I'm very new to Clearpass so please bear with me.

 

We had an issue with one of our sites being unable to accesss a secure portal hosted on the Clearpass server for guest access. I checked the Clearpass configuration, specifically the Web Login configuration and noticed we have two defintions. In reviewing, and comparing the two, the only difference I noted was in the option 'Secure Login: Secure login using HTTPS / Send cleartext passwords over HTTP'.

 

On the controller, in the captive portal, we only permit HTTPS access to the Clearpass server.

 

So my question is this, must this option be set to 'Secure login using HTTPS' for this to work, or is this not related to this? I can't find a lot of information relating to the use of this option in the Clearpass User Guide or Clearpass Guest User Guide.

 

Thanks

If you need to use https then you must make sure it is uncheck use http in the controller L3 config, and you cannot have the redirect include https. On clearpass you need to have https checked marked.

 

 

Hi Troy,

 

Thanks for your feedback, that is what we have set.

 

I was wondering what the impact was having the attached, the 'Secure Login' option I'm particularly interested in as this is where I see a difference in the two options. I wondered how this related to the captive portal config, if it does at all?

The default for aruba is to use https (use vendor default). You can manually change it to https but you shouldn't have to.

Where is the issue you are seeing. Is it when the client connects it doesn't see the clearpass guest page?

The issue I was seeing was when a site had the 'Secure Login' option set to 'Send cleartext passwords over HTTP' the page wasn't loading, when I switched the site to use 'Secure login using HTTPS' the captive portal page loaded. This was the only difference in the two Web_Login configurations.

if you do not have the settings above then you can not use HTTP it will fail.

Thanks.

 

Just for my benefit, how is the setting for the option 'Secure Login' used, i.e. what is its relationship to the wireless controller/captive portal configuration.

 

In my environment we do the following:

 

- enable captive portal with a redirect to Clearpass

- only permit, in the user-role, https access to this address

 

For this reason, should the 'Secure Login' be set to use HTTP or does this have no direct relationship to the captive portal configuration?

 

Sorry if I'm not making a lot of sense. I just want to be clear on the purpose of this function and its relationship to the controller configuration.

If you are using the Aruba controller you need to configure your Initial role this way otherwise as Troy said this is going to fail:

 

ip access-list session CPPM-CP-ACL
any any svc-dhcp permit
user any svc-dns permit
user any svc-https dst-nat 8081
user any svc-http dst-nat 8080

user alias <CLEARPASS IP> svc-https permit

user alias <CLEARPASS IP> svc-http permit

 

user-role GUEST-PORTAL-ROLE ---->>> This is the initial role under the guest AAA Profile

access-list session CPPM-CP-ACL

 

And then on your GUEST-ROLE ---->>> This is the role in the Captive Portal Profile

ip access-list session GUEST-ACL

user any udp 68 deny

any any svc-dhcp permit
user any svc-dns permit
user any svc-https permit

 

That option you are talking define how do you send authentication through a Secure or Unsecure method and what you control in the initial role is for the redirect which is in this case is to the ClearPass server and once the user passes authentication (HTTPs or HTTP Clear Text) you then can control what the user has access to .

 

Hope this makes sense.

Thanks Victor,

 

I do have my initial role defined as you have suggested, but in this initial role we only permit HTTPS access to the CPPM server.

 

In the Web Login configuration, when it was not working, the 'Secure Login' was set to 'Send passwords in Cleartext HTTP', as the initial role was only permitting 'HTTPS', and this didn't match the configuration above, I believe this is why the user was not being directed as the Web Login configuration did not match the ACL defined on the controller.

 

Does this seem reasonable? The issue I have is since making this change it is now fixed, and the site is the other side of the world so I wasn't able to perform a packet capture before and after.

That's correct.