Security

Hi Guys

We have Clearpass implemented for guest access , with captive Portal.

I am having some issues using captive portal with firefox.

It stays saying connecting... and the captive portal does not comes Up.

IE works fine ;(

Firefox is version 29.01

What could be the problem?

Another question?

Where can I see the session timeout values for guests? In Clearpass?   I need to adjust the time that user stays connected to the guest via captive portal.

Regards

For Firefox, please check the post here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/OCSP-on-Firefox/m-p/11129/highlight/true#M4405

For clearpass, you need to search the help for mac caching..

Hi cjoseph,

Solved.. Reset Firefox settings and its working!

Just one more thing: "prelogon" role is CPG-login.

How to avoid that users that are in this role, before going to the portal have access to login to administration page of clearpass policy manager?

(Aruba7210) #show rights CPG-Login

Derived Role = 'CPG-Login'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 70/0
 Max Sessions = 65535

 Captive Portal profile = Guest_CPPM-cp_prof

access-list List
----------------
Position  Name           Type     Location
--------  ----           ----     --------
1         CP6-web-ACL    session
2         logon-control  session
3         captiveportal  session

CP6-web-ACL
-----------
Priority  Source  Destination     Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Bla                 cklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------     -------    ------  ---------  ---  -------  -----  ---  -----  ---                 ------  ------  -------  -------------  ------
1         any     10.200.102.250  svc-http   permit             Yes           Low                                                                            4
2         any     10.200.102.250  svc-https  permit             Yes           Low                                                                            4
3         any     10.200.102.250  svc-icmp   permit                           Low                                                                            4
logon-control
-------------
Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  80                 21P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  --                 ---  ---------  ------  -------  -------------  ------
1         user    any                      udp 68    deny                             Low                                                                            4
2         any     any                      svc-dhcp  permit             Yes           Low                                                                            4
3         any     any                      svc-dns   permit             Yes           Low                                                                            4
4         any     any                      svc-natt  permit                           Low                                                                            4
5         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                                            4
6         any     240.0.0.0 240.0.0.0      any       deny                             Low                                                                            4
captiveportal
-------------
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8                 021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -                 ----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                                            4
2         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                                            4
3         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                                            4
4         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                                            4
5         user    any          svc-http         dst-nat 8080                           Low                                                                            4
6         user    any          svc-https        dst-nat 8081                           Low                                                                            4

thats's done on clearpass, not in your aruba-user-role.

Check out /tips » Administration » Server Manager » Server Configuration - <server> - network tab - Application Access Control.

Here you can limit non-mgmt subnets from accessing the different cppm resources.

Hi

Also, How can  I force the client to be connected for more time. For example Ipad´s or Iphones or Androids connected to the guest via Captive Portal ( Clearpass).

After a while users get the ask for credentials again.

Regards

They get presented the logon page asking for their credentials again after the user idle timeout has passed without any activity from the client. By default this is 5 minutes.

So you could just increase this user-idle-timeout but that is the bad solution. So please don't do this.

The correct (and easy) solution, certainly when you have clearpass, would be to use mac authentication.

With mac authentication the first authentication would still be the user authentication on the captive portal you served them. Later authentications however would simply use mac authentication. 

To give you a headstart, you can configure guest user authentication (with mac caching)  on clearpass by using a wizard:

/tips > Configuration » Start Here. At the bottom somewhere you should have a "Guest MAC Authentication" service template. It will help you configure clearpass to do what I just explained.

On the aruba side your aaa profile (with pre-logon initial role) will also have to be configured for mac-authentication.

The result will be that all your guest clients will be able to use mac authentication after the initial logon. If you would like to permit mac-authentication only for smartdevices, this is certainly also possible.

This should hopefully get you started. If not, I'm hopefull we'll hear from you again :smileywink:

Hi Thanks for helping.

Ok I have configured Guest-mac authentication on Clearpass.

I have a working guest service and now i have also authentication at the end ( see attached). 3 already exists and its working and now we have added 8 and 9 after the config that you said.

In AAA profile i have:

#show aaa profile cppm_guest

AAA Profile "cppm_guest"
------------------------
Parameter                           Value
---------                           -----
Initial role                        CPG-Login
MAC Authentication Profile          default
MAC Authentication Default Role     guest
MAC Authentication Server Group     CPPM_SRV
802.1X Authentication Profile       N/A
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
L2 Authentication Fail Through      Disabled
User idle timeout                   N/A
RADIUS Accounting Server Group      CPPM_SRV
RADIUS Interim Accounting           Enabled
XML API server                      N/A
RFC 3576 server                     10.200.102.250
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled

IS this ok?

 How can i test and see if Cache is being made?

Regards

Attachment(s)

GuestMNE MAC-authentication.docx   279 KB 1 version

Simply connect to the portal and authenticate. Then kick off this user from the controller (aaa user delete ...).

It may take a minute for insight to get updated of the new mac address though so you might give it a minute before kicking him off.

It should return immediately by using mac-athentication

Hi,

it goes back again to the portal.

I disconnected the user in the controller? shoud I blacklist and then unblock?

THe service number 3 on the word file is the one that is working. Service 8and 9 work in pair with the 3 correct?

Regards

no need to blacklist. the session just needs to be gone.. aaa user delete does the trick.

You do not have a word doc attached that I can look at by the way. oh, there it is.

Guest with mac caching should be using just 2 services though.. one to catch the user auth and cache the mac address. The second to do the mac-auth.

Service 8 and 9 work in pairs, 3 is no longer required.

I'm guessing service 3 is the standard guest auth service without caching. You want to disable that so the user auth uses your service 9 so it caches the mac address. 

Hi ,

OK know we are sync :)

I was just saying that before  I have a "working" Guest Service on number 3.

After I create Guest MAc authentication , those two services that you talk appear.

I am afraid that my Guest is using the first service that I create and not this from MAC....

Same as your point of view ;)

Attachment(s)

GuestMNE MAC-authentication.docx   279 KB 1 version

For testing you could simply click the green dot to the right of sertvice 3.

This will disable it so it isn't used anymore but still easely reenabled if needed. 

Or just move service 9 above service 3 to cancel it out.

Offcourse if that is a production network.. take care.

Yes,

Production network ;)

I tested by disable the guest #3 service and it bypasses the captive portal ( first time it should go there ) , since i put limits for chache for 1 day ;)

Missing something...

Then the fun begins.

Where did it go wrong?

Did your user auth hit service 9 correct?

After kicking it off, did the mac auth hit service 8 correctly?

Was a service matched at all? Realy needs more info if you want help here.

For testing on a production network.. I propose creating a test SSID and testing with that. Add Radius:aruba aruba-essid equals yourtestssid as a condition to your service rules and nothing will match your rules unless it comes from that test ssid. This means you can put those services near the top. Easier to test that way.

Ok..

Seems to be working.

1. Disable service 3

2. connect to guest and goes to service 9 GuestMNE MAC-authentication Guest Access With MAC Caching

3. appears the Captive Portal

4. kickoff user

5. User goes ok to 8 ;)

Thanks for help

---

@beconnect wrote:

Thanks for help

---

Welcome! Just repaying for all the help I get from here anyway :smileywink: