Security

Reply
Contributor I

CPPM Guest with Cisco WLC CoA Issues

I've been having a tough time getting all the bugs worked out of a CPPM/Cisco WLC CoA setup. I had 'controller-initiated' redirect working, but wanted to change to 'server-initiated' to get the redirect from CPPM for more flexibility. I finally have it pretty much working, except for one hiccup i'm having with the auth sequence. 

 

I have the MAC caching service working, when a client is unknown it sends the redirect URL to CPPM guest, where i have a simple click-through page that authenticates the user as an anonymous guest. The weirdness comes after this, after the webauth sends a CoA to reauthenticate or bounce the user, the MAC cache service is failing to map the role as MAC Cache, and performs another CoA URL redirect. The client gets redirected a second time to the guest portal. Now, if I click through the portal a second time, nothing else changes, THEN the MAC cache service applies the correct role and allows the connection. Or, if I have profiling enabled on the service, it performs the first auth, does a CoA bounce, and performs the second auth correctly again with the user still sitting at the redirect portal. I just can't figure out why the first service hit after the webauth isn't matching the rules and allowing the connection. I have put a 10sec delay in the login page hoping that would help in case it didn't have enough time to update the endpoint records, but no change. Any ideas? 

 

On a somewhat related note, after the webauth, why isn't the client redirected back to their original URL? Now i have it setup to redirect to the canned 'you are now connected' page, but I'd like them to redirect to their original destination. I've found the technote for this but it only applies to Aruba WLCs, not Cisco apparently. 

 

Thanks. 

 

Capture1.PNGCapture2.PNGCapture3.PNGCapture4.PNGCapture5.PNG

Guru Elite

Re: CPPM Guest with Cisco WLC CoA Issues

Did you check the endpoint and ensure that it was stamped with a MAC Auth Expiry and Guest Role ID?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CPPM Guest with Cisco WLC CoA Issues

So that is the issue, however I can't figure out why. The Webauth

service stamps the endpoint details, as seen in the output, then bounces the user. Immediately after that the user re-auths, but the details are not visible. After performing a second, identical webauth (or just bouncing the port again), the endpoint details DO show. 

 

Capture1.PNGCapture2.PNGCapture3.PNG

Guru Elite

Re: CPPM Guest with Cisco WLC CoA Issues

Did you add [Time Source] as an additional authorization source?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CPPM Guest with Cisco WLC CoA Issues

Yes, Time Source is in the MAC Auth service, but not in the Webauth service (no authorizations there)

Guru Elite

Re: CPPM Guest with Cisco WLC CoA Issues

You need it in both since you're using the variable to stamp the endpoint.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CPPM Guest with Cisco WLC CoA Issues

Ok I see that helped a little, but same issue. The 'MAC auth expiry' now shows a correct date/time (rather than the variable name), but it had no impact on the auth issue. First re-auth still missing the endpoint details, second re-auth has them and completes as expected. I also ensured that the Webauth service has Endpoints and Guest User authorization sources as well just in case. 

Guru Elite

Re: CPPM Guest with Cisco WLC CoA Issues

Did you configure the CoA delay in ClearPass?

 

Also, what was the reason for switching to server-initiated?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CPPM Guest with Cisco WLC CoA Issues

CoA delay under 'server properties' is at default, 2sec. I saw reference somewhere to changing that to 0, but no explaination why? 

 

I changed to server-initiated to mirror the setup necessary for Wired Guest (CoA redirect from Cisco wired switches), as well as being able to control the redirect-url dynamically rather than statically set on the WLC SSID. Unfortunately there isn't a complete set of documentation for doing server-initiated CoA with a Cisco WLC, i've only found bits and pieces of information on the community. 

 

Another issue i'm just noticing is that in my auth sequence, the guest user is never falling through to the 'Guest User Auth' service. It's just hitting the MAC Auth service twice, and authenticating as a MAC auth. Looks like the issue is that the WLC is sending RADIUS:IETF:User-Name as the MAC address every time, so it always matches the MAC Auth rule. The User Auth rule is looking for MACAddress NOT EQUALS RAIDUS:User-Name. I just tried adding an attribute to the web-auth rule to send username back to the WLC, but it's not helping. On the services, instead of watching for RADIUS:User-Name, should i change it to Endpoint:Username or something? 

 

This might relate to something else i've seen, discussion on sending a username back to an Aruba WLC from CPPM, but again, doesn't seem that Cisco supports that? 

 

 

Guru Elite

Re: CPPM Guest with Cisco WLC CoA Issues

It's very difficult to troubleshoot this via a forum. Have you reached out to your Aruba ClearPass partner? 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: