Security

Reply
Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Captive Portal on CPPM

[ Edited ]

Using AOS 6.3.1.3 and CPPM 6.3.0.60730.  Finally have CP through CPPM working with AD for user auth.  New Issue is this:

 

Enabled:*Vendor Settings:Login Method:*IP Address:Secure Login:Dynamic Address:Security Hash:

NAS Login
Options controlling logging into a NAS for self-registered guests.
Enable guest login to a Network Access Server
Select a predefined group of settings suitable for standard network configurations.
Select how the user’s network login will be handled.
Server-initiated logins require the user’s MAC address to be available, usually from the captive portal redirection process.
Enter the IP address or hostname of the vendor’s product here.
Select a security option to apply to the web login process.
The controller will send the IP to submit credentials
In multi-controller deployments, it is often required to post credentials to different addresses made available as part of the original redirection.
The address above will be used whenever the parameter is not available or fails the requirements below.
Select the level of checking to apply to URL parameters passed to the web login page.
Use this option to detect when URL parameters have been modified by the user, for example their MAC address.

 

I have the enable login to NAS checked but it requires me to have them authenticate at *IP address (currently place.network.com as place holder).  Question is: Why do I have to do this? 

 

If I disable this section then the login page for the CP is disabled.

 

I cannot figure out what to do next.  I don't have a target I can send it to that works and I don't even need this 2nd authentication but it is required.

 

What's the logic here that I'm missing?  Aruba documents are less than helpful at this time.

 

 

 

**edit**

The *IP address defaults to securelogin.arubanetworks.com (if that helps ring a bell in someone's mind)

 

 

 

 

 

 

 

MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Captive Portal on CPPM

This is part of the post authentication process , this diagrams explain it very well:

2014-04-09 18_39_43-ClearPass Guest - Self-Registration Sequence Diagram.png

 

 

 

If you want to use another name instead of https://securelogin.arubanetworks.com you will need to upload a new cert with the CN equal to the name you would like to see and then configure it as the captive portal certificate.

 

https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/How-to-configure-ClearPass-Guest-Amigopod-web-login-when-using-an-Aruba-controller-with-a-wildcard-SSL-certificate

 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Re: Captive Portal on CPPM

[ Edited ]

Here is where I'm at currently:

 

I figured out why they have the securelogin.arubanetworks.com.  I thought the pop-up window was the result of this but it is not.  The logout pop up window causes issues so I had to turn it off for now.  I suspect that might be an ACL issue.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/welcome-page-continuing-to-original-web-page-after-login/m-p/146482#M10457

 

I have done all of the steps in the solution posted above but it just keeps trying to redirect in a continuous loop to the original destination.  Has the Aruba-CPPM solution changed since that work around was posted?

Frequent Contributor II
Posts: 110
Registered: ‎12-07-2007

Re: Captive Portal on CPPM

Using this information, http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/welcome-page-continuing-to-original-web-page-after-login/m-p/146482#M10457, I have discovered the issue.  When {dump var=$extra_fields export=html}, is added to the welcome page, it comes up blank.  It seems the welcome page doesn't know those variables?  Only the login page has access to them?

 

This is the command I'm using (appears to match the document 100%)

 

</h2><meta http-equiv="refresh" content="5;
URL={$extra_fields.url|escape}">
<p>
Redirecting you to {$extra_fields.url|escape}, please wait...
</p>

Search Airheads
Showing results for 
Search instead for 
Did you mean: