Security

Reply
Contributor II
Posts: 46
Registered: ‎06-19-2015

CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher

So currently, we have 3 CPPM servers in a cluster, with two of them in one physical location in a HA VIP configuration. We want to break this HA and send one of those servers to another location and reform the cluster as 3 geo-redundant CPPMs in a single cluster. 
We are only using the CPPM for our Guest Self-Registration Portal currently.

First thing I needed to do was to point our Aruba Master controller Server Groups and Captive Portal from what its set to now ( uschttcpgp00 ) which is the VIP, to the physical Publisher server ( uschttcpgp01 ) Data IP. On the Aruba Master controller, I sent to the Radius Servers and chose the one we use for Guest and changed the IP to the IP of the CPGP01 server instead of CPGP00. Then I went to the L3 Authentication Captive Portal page and simply changed the Login page to point to CPGP01 instead of CPGP00. 
When I did this and tested, users were never getting sent to the Guest Self-Registration page, instead it would just constantly refresh and nothing would ever happen. In the Access Tracker, I would see the MAC address and it would say Rejected. I have attached the Access Tracker request with the error, but I cannot understand what is going on here. 
I have verfied the CPGP01 is a member of the domain and has valid Radius and HTTPS certificates (i saw these in a few earlier posts so I checked first before posting). 
When I try to go to the Login Page when I am connected to the company network, it takes me there properly, so it only seems to have an effect on someone who is trying to join our Guest Network. 
But again, if I put it back to the CPGP00 Virtual IP, everything works again. 

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher

Did you update any ACLs that might just allow HTTP/HTTPS to the Publisher IP address?

Or are you just whitelisting the VIP ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 46
Registered: ‎06-19-2015

Re: CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher

Where do i do this at? I just spoke with someone who mentioned the same thing but had to drop off the call before he could tell me more details. 

MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher

>From GUI you can check into places:



1- You can find this in under the Security > User Roles >" YOUR CAPTIVE PORTAL ROLE"



Then check the ACLs under that and see if there's a rule allowing HTTP/HTTPS to the ClearPass server(s) , if is using an alias then you need to update the Advanced Services > Stateful Firewall > Destinations > "ALIAS NAME"



2- Security > Authentication > L3 Authentication > Captive Portal Authentication Profile



See if in the Guest Captive Portal profile there any whitelist with the ClearPass IP/Names , if it is there then you need to update the Advanced Services > Stateful Firewall > Destinations > "ALIAS NAME"
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 46
Registered: ‎06-19-2015

Re: CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher

Yes, thank you. This was what was missing. I only had the VIP as a Destination in the firewall. I added the physical IP of the Publisher and now it works. Thank you very much! 

Search Airheads
Showing results for 
Search instead for 
Did you mean: