Security

Reply
MVP
Posts: 707
Registered: ‎12-01-2010

CP-Guest and CPPM not talking

Or rather, CPPM doesn't recognize the WEBAUTH request from Guest...

 

I’ve used the Policy Manager “service templates” to make a pre-auth service for the webauth from Guest, and the actual auth requests from Guest don’t match the service profile, so they’re getting denied.

 

Some advice on getting the Guest requests to match the webauth service (both built-in or wizard generated, so I’d expect them to work)

 

Capture.PNG

 

for the intrepid reader, here's the log of the reuqest:

Request log details for session: W00000006-01-531a3038
Time 	Message
2014-03-07 13:46:48,679 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] ERROR com.avenda.tips.dhcp.snooper.request.MacLookupRequestHandler - No MAC address exists for ip 10.10.6.31
2014-03-07 13:46:48,679 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] INFO com.avenda.tips.webauthservice.reqhandlers.RequestUtils - Failed to get macAddress from dhcpSnooper, reason=No MAC address found
2014-03-07 13:46:48,679 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] WARN com.avenda.tips.webauthservice.NadProvider - Cannot find NAD IP since client MAC is not known
2014-03-07 13:46:49,593 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915527 h=79 r=W00000006-01-531a3038] ERROR Core.ServiceReqHandler - doServiceClassification: Error. Ret code=0 response list size=0
2014-03-07 13:46:49,596 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform webauth, reason=FailedToClassifyRequestToService
2014-03-07 13:46:49,601 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac representations
2014-03-07 13:46:49,601 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:NAD-IP-Address is not found
2014-03-07 13:46:49,601 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:Client-Mac-Address is not found
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 0 entity id = 29
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=0|entity=Device
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 h=7582725 c=W00000006-01-531a3038] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_OUTPUT_ERROR Started ***
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 h=7582726 c=W00000006-01-531a3038] ERROR Core.PETaskOutputPolicyRes - computeAndOutputResponse: Failed get service config
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=W00000006-01-531a3038 h=7582725 c=W00000006-01-531a3038] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_OUTPUT_ERROR Completed ***
2014-03-07 13:46:49,604 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] ERROR com.avenda.tips.webauthservice.policy.ChainedPolicyClient - Policy evaluation request failed with statusCode=StatusInvalidParam
2014-03-07 13:46:49,604 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform chained policy-evaluation and enfProfiles

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 707
Registered: ‎12-01-2010

Re: CP-Guest and CPPM not talking

OK, one step closer - I found that I had left the ".php" off of the portal URL in the iAP configuration.

Fixing that makes the portal pages load correctly, but now I get a RADIUS accept followed by the same WEBAUTH reject I included above.

 

Still puzzled.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Guru Elite
Posts: 20,811
Registered: ‎03-29-2007

Re: CP-Guest and CPPM not talking

look at the input tab and see what is not matching your guest service.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: CP-Guest and CPPM not talking

[ Edited ]

Can you post some screenshots of the service?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 707
Registered: ‎12-01-2010

Re: CP-Guest and CPPM not talking

The Input tab is disturbingly empty:

Capture.PNG

 

I've come to suspect that my issue in in the Web Login settings in Guest, Configuration.

I've set the VendorSettings to CabtivePortal with ClearPass Web Auth.

 

Should I be using something else?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 707
Registered: ‎12-01-2010

Re: CP-Guest and CPPM not talking

The service summary page:

Capture.PNG

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: CP-Guest and CPPM not talking

Your registration page is not configured properly
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: CP-Guest and CPPM not talking

Is this a pre-registration auth check or a guest self registration?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 707
Registered: ‎12-01-2010

Re: CP-Guest and CPPM not talking

I believe pre-registration auth check.

 

I'm trying to recreat the process we follow now on controller-based-portal: Reception and Helpdesk create guest accounts and set start/end dates/times, and users who connect to the SSID get a captive-portal where they type in the pre-assigned credentials.

 

I’ve tried setting vendor in the Web Login settings (on Guest) to “Captive Portal with ClearPass Web Auth,” “Aruba Networks, and Server-Initiated – Change of authorization (RFS3576) sent to controller,” and “Controller-Initiated – Guest Browser performs HTTP form submit”

 

The Captive Portal one appears to make a WEBAUTH attempt to CPPM, but fails to identify itself, so CPPM rejects it.

The Server and Controller Initiated ones make a good RADIUS request, then a bad WEBAUTH just like the Captive Portal.

 

Has anyone got an example where they've done the simple-form captive portal?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Guru Elite
Posts: 8,335
Registered: ‎09-08-2010

Re: CP-Guest and CPPM not talking

[ Edited ]

In your web login form, try changing Pre-auth check to "none". This will then post the credentials the users enter to the controller. The controller then makes a WebAuth request to ClearPass so you'll need a service like below:

 

guest-web-auth.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: