Security

ClearPass Cumulative Patch 3 for 6.3.0, 6.3.1, 6.3.2*+

 

Policy Manager software version : 6.3.3.63748
Policy Manager model number     : CP-VA-5K

 

AP - Aerohive

CWP using https with valid 3rd party certificates


Here is what is happening

guest connects to guest ssid
opens browser and is redirected to ClearPass guest for self registration
Guest picks a sponsor and fills in the required info
sponsor gets email and clicks to enable
guest login button gets enabled
receipt sent to sponsor
guest clicks on the login button and authentication fails

debug shows that the AP gets a weird password from the submit form

post input: username=chuck%40n.com&

password should be
43283366

as you can see the submit form is adding a 3 between every number

3433323833333636

If the guest uses the regular login form and enters the username and password that was created through the sponsor process then authentication is successful.

I am not sure where to look to stop the submit button from adding the extra 3s

 

 

 

When you are clicking login its the NAS device is the one submiting the auth request to CPPM. You can do a packet capture to comfirm but most likely the issue is coming from the NAS doing a radius auth to CPPM. You will need to double check your settings in the NAS.

 

 

In the standard AAA framework, network access is provided to a user according to the following process:

*

The user connects to the network by associating with a local access point [1].

*

A landing page is displayed to the user [2] which allows them to log in to the NAS [3], [4] using the login name and password of their guest account.

*

The NAS authenticates the user with the RADIUS protocol [5].

*

ClearPass Policy Manager determines whether the user is authorized, and, if so, returns vendor-specific attributes [6] that are used to configure the NAS based on the user’s role and other policies [7].

*

If the user’s access is granted, the NAS permits the guest access to the network based on the settings provided by the ClearPass Policy Manager server.

*

The NAS reports details about the user’s session to the ClearPass Policy Manager server using RADIUS accounting messages [8].

*

After the user’s session times out [9], the NAS will return the user to an unauthorized state and finalize the details of the user’s session with an accounting update [10].

Thanks tarnold

 

The normal web login page works as expected - username and password entered and submitted are passed to NAS unmolested.

 

It is the sponsor receipt page after the sponsor confirms the guest. The input that the NAS receives from clicking  the submit button arrives at the NAS with 3s inserted. and then the NAS submits what it gets to the radius server.

 

the normal login form for guests with accounts already

 

2014-06-20 13:16:54 debug   ah_capture: [cgic_basic]: post input: password=50657397&username=sam%40j.com&Submit2=Submit&url=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2014-06-20 13:16:54 debug   ah_capture: [cgic_basic]: Calling PostFormInput
2014-06-20 13:16:54 debug   ah_capture: [cgic_basic]: POST recognized

 

2014-06-20 13:16:54 debug   ah_capture: [cgic_verbose]: Submit2=Submit
2014-06-20 13:16:54 debug   ah_capture: [cgic_verbose]: username=sam@j.com
2014-06-20 13:16:54 debug   ah_capture: [cgic_verbose]: password=5***

 

2014-06-20 13:16:54 notice  ah_capture: authentication OK, username sam@j.com, service

 

 

 

 

for the sponsor receipt page submit for guest self-registered with sponsor approval

 

2014-06-20 13:15:29 debug   ah_capture: [cgic_basic]: post input: username=sam%40j.com&password=

If you disable Sponsor approval are you getting the same result?

With sponsor approval disabled

account gets registered and email sent to sponsor and then screen refreshes with login button on receipt page

click and auth fails

 

same result

 

• – Username: chucka@d.com
• – Password: 27039991

 

2014-06-23 12:46:20 debug   ah_capture: [cgic_basic]: PostFormInput succeeded
2014-06-23 12:46:20 debug   ah_capture: [cgic_basic]: post input: username=chucka%40d.com&password=3237303339393931&Submit2=Submit&url=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

2014-06-23 12:46:20 debug   ah_capture: [cgic_verbose]: password=3***
2014-06-23 12:46:20 debug   ah_capture: [cgic_verbose]: username=chucka@d.com

 

 

 

 

 

 

Did you happen to look through this How-To?

 

Im not an expert on Aerohive, but I have not seen your issue on any other vendors. @Michael_Clarke did a great job on this and I would look though this guide and double check your settings.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Tutorial-Aerohive-Integration-with-Clearpass-corp-and-guest-mhc/m-p/149134/highlight/true#M10724

 

 

Sorry I take that back his how to was using web login not sponsor. I still think the issue is in your NAS. 

ok Thanks

 

yes, I have reviewed the tutorial.

 

This same sponsor setup worked with CPPM 6.2

 

I'll keep plugging away until I find the cause.

 

Cheers and thanks for your time

 

Is this an upgrade or a new install?

This is a new install.

 

prior to buying Clearpass we had done testing with 6.2 since we had to integrate with Cisco and Aerohive wireless. I still have the 6.2 servers, but the temp licenses have expired. I will ask my local reseller if I can get a temp license to bring up the old servers. The major difference between then and now besides 6.2 and 6.3 is I now have valid 3rd party certificates installed.

 

Cheers

OK thank you. I wanted to make sure there were no issues on an upgrade.

I would also open a TAC case just to double check on the CPPM side. I just looked and didn't see any known bugs on the CPPM side so it would be nice to have confirmation from TAC.

Confirmed works in 6.2

and doesn't work in 6.3

 

on the test server I was using mschapv2 and UAM basic instead of chap and cleartext. Also on test server I did not have https enabled.

 

I configured the ssid and CWP to point to the test server 6.2 and login was successful after sponsor confirmation.

Used the same settings for the deployment 6.3 server and Auth fails after sponsor confirmation.

 

It's a conundrum

 

I managed to get this working.

 

I had to adjust the NAS settings in the guest self-registration to use secure login with https - no password encryption

 

on cwp page chap use secure login with https - no password encryption

 

on the web login use secure login with https - no password encryption

 

Anyone know what mschapv2 and UAM basic would fail?

 

Cheers