Security

Reply
Occasional Contributor II

CPPM 6.3 Guest Sponsorship - Radius Failure

ClearPass Cumulative Patch 3 for 6.3.0, 6.3.1, 6.3.2*+

 

Policy Manager software version : 6.3.3.63748
Policy Manager model number     : CP-VA-5K

 

AP - Aerohive

CWP using https with valid 3rd party certificates


Here is what is happening

guest connects to guest ssid
opens browser and is redirected to ClearPass guest for self registration
Guest picks a sponsor and fills in the required info
sponsor gets email and clicks to enable
guest login button gets enabled
receipt sent to sponsor
guest clicks on the login button and authentication fails

debug shows that the AP gets a weird password from the submit form

post input: username=chuck%40n.com&

 
password=3433323833333636

password should be
43283366


as you can see the submit form is adding a 3 between every number

3433323833333636

If the guest uses the regular login form and enters the username and password that was created through the sponsor process then authentication is successful.

I am not sure where to look to stop the submit button from adding the extra 3s


Cheers

 

wrongpass.jpg

 

 

Aruba

Re: CPPM 6.3 Guest Sponsorship - Radius Failure

When you are clicking login its the NAS device is the one submiting the auth request to CPPM. You can do a packet capture to comfirm but most likely the issue is coming from the NAS doing a radius auth to CPPM. You will need to double check your settings in the NAS.

 

diagram_4_sequenceNetworkAccessAAA_CPG_591x644.png

 

In the standard AAA framework, network access is provided to a user according to the following process:

 *The user connects to the network by associating with a local access point [1].
 *A landing page is displayed to the user [2] which allows them to log in to the NAS [3][4] using the login name and password of their guest account.
 *The NAS authenticates the user with the RADIUS protocol [5].
 *ClearPass Policy Manager determines whether the user is authorized, and, if so, returns vendor-specific attributes [6] that are used to configure the NAS based on the user’s role and other policies [7].
 *If the user’s access is granted, the NAS permits the guest access to the network based on the settings provided by the ClearPass Policy Manager server.
 *The NAS reports details about the user’s session to the ClearPass Policy Manager server using RADIUS accounting messages [8].
 *After the user’s session times out [9], the NAS will return the user to an unauthorized state and finalize the details of the user’s session with an accounting update [10].
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: CPPM 6.3 Guest Sponsorship - Radius Failure

Thanks tarnold

 

The normal web login page works as expected - username and password entered and submitted are passed to NAS unmolested.

 

It is the sponsor receipt page after the sponsor confirms the guest. The input that the NAS receives from clicking  the submit button arrives at the NAS with 3s inserted. and then the NAS submits what it gets to the radius server.

 

the normal login form for guests with accounts already

 

2014-06-20 13:16:54 debug   ah_capture: [cgic_basic]: post input: password=50657397&username=sam%40j.com&Submit2=Submit&url=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2014-06-20 13:16:54 debug   ah_capture: [cgic_basic]: Calling PostFormInput
2014-06-20 13:16:54 debug   ah_capture: [cgic_basic]: POST recognized

 

2014-06-20 13:16:54 debug   ah_capture: [cgic_verbose]: Submit2=Submit
2014-06-20 13:16:54 debug   ah_capture: [cgic_verbose]: username=sam@j.com
2014-06-20 13:16:54 debug   ah_capture: [cgic_verbose]: password=5***

 

2014-06-20 13:16:54 notice  ah_capture: authentication OK, username sam@j.com, service

 

 

 

 

for the sponsor receipt page submit for guest self-registered with sponsor approval

 

2014-06-20 13:15:29 debug   ah_capture: [cgic_basic]: post input: username=sam%40j.com&password=

3530363537333937&Submit2=Submit&url=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2014-06-20 13:15:29 debug   ah_capture: [cgic_basic]: Calling PostFormInput
2014-06-20 13:15:29 debug   ah_capture: [cgic_basic]: POST recognized
 
2014-06-20 13:15:29 debug   ah_capture: [cgic_verbose]: Submit2=Submit
2014-06-20 13:15:29 debug   ah_capture: [cgic_verbose]: password=3***
2014-06-20 13:15:29 debug   ah_capture: [cgic_verbose]: username=sam@j.com
 
So if I understand your post, you are saying the NAS is somehow changing the post information?
 
Because the debug looks like the NAS just passes along what it receives
 
Cheers
 
 
 
Aruba

Re: CPPM 6.3 Guest Sponsorship - Radius Failure

If you disable Sponsor approval are you getting the same result?

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: CPPM 6.3 Guest Sponsorship - Radius Failure

With sponsor approval disabled

account gets registered and email sent to sponsor and then screen refreshes with login button on receipt page

click and auth fails

 

same result

 

 

2014-06-23 12:46:20 debug   ah_capture: [cgic_basic]: PostFormInput succeeded
2014-06-23 12:46:20 debug   ah_capture: [cgic_basic]: post input: username=chucka%40d.com&password=3237303339393931&Submit2=Submit&url=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 

2014-06-23 12:46:20 debug   ah_capture: [cgic_verbose]: password=3***
2014-06-23 12:46:20 debug   ah_capture: [cgic_verbose]: username=chucka@d.com

 

 

 

 

 

 

Aruba

Re: CPPM 6.3 Guest Sponsorship - Radius Failure

Did you happen to look through this How-To?

 

Im not an expert on Aerohive, but I have not seen your issue on any other vendors. @Michael_Clarke did a great job on this and I would look though this guide and double check your settings.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Tutorial-Aerohive-Integration-with-Clearpass-corp-and-guest-mhc/m-p/149134/highlight/true#M10724

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba

Re: CPPM 6.3 Guest Sponsorship - Radius Failure

Sorry I take that back his how to was using web login not sponsor. I still think the issue is in your NAS. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: CPPM 6.3 Guest Sponsorship - Radius Failure

ok Thanks

 

yes, I have reviewed the tutorial.

 

This same sponsor setup worked with CPPM 6.2

 

I'll keep plugging away until I find the cause.

 

Cheers and thanks for your time

 

Aruba

Re: CPPM 6.3 Guest Sponsorship - Radius Failure

Is this an upgrade or a new install?

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II

Re: CPPM 6.3 Guest Sponsorship - Radius Failure

This is a new install.

 

prior to buying Clearpass we had done testing with 6.2 since we had to integrate with Cisco and Aerohive wireless. I still have the 6.2 servers, but the temp licenses have expired. I will ask my local reseller if I can get a temp license to bring up the old servers. The major difference between then and now besides 6.2 and 6.3 is I now have valid 3rd party certificates installed.

 

Cheers

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: