Security

Reply
Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Captive Portal with Firefox

Hi Guys

 

We have Clearpass implemented for guest access , with captive Portal.

 

I am having some issues using captive portal with firefox.

It stays saying connecting... and the captive portal does not comes Up.

 

IE works fine ;(

 

Firefox is version 29.01

 

What could be the problem?

 

 

Another question?

 

Where can I see the session timeout values for guests? In Clearpass?   I need to adjust the time that user stays connected to the guest via captive portal.

 

Regards

Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Re: Captive Portal with Firefox

For Firefox, please check the post here:  http://community.arubanetworks.com/t5/ArubaOS-and-Controllers/OCSP-on-Firefox/m-p/11129/highlight/true#M4405

 

For clearpass, you need to search the help for mac caching..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Re: Captive Portal with Firefox

[ Edited ]

Hi cjoseph,

 

Solved.. Reset Firefox settings and its working!

 

Just one more thing: "prelogon" role is CPG-login.

 

How to avoid that users that are in this role, before going to the portal have access to login to administration page of clearpass policy manager?

 

 

(Aruba7210) #show rights CPG-Login

Derived Role = 'CPG-Login'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 70/0
 Max Sessions = 65535

 Captive Portal profile = Guest_CPPM-cp_prof

access-list List
----------------
Position  Name           Type     Location
--------  ----           ----     --------
1         CP6-web-ACL    session
2         logon-control  session
3         captiveportal  session

CP6-web-ACL
-----------
Priority  Source  Destination     Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Bla                 cklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------     -------    ------  ---------  ---  -------  -----  ---  -----  ---                 ------  ------  -------  -------------  ------
1         any     10.200.102.250  svc-http   permit             Yes           Low                                                                            4
2         any     10.200.102.250  svc-https  permit             Yes           Low                                                                            4
3         any     10.200.102.250  svc-icmp   permit                           Low                                                                            4
logon-control
-------------
Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  80                 21P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  --                 ---  ---------  ------  -------  -------------  ------
1         user    any                      udp 68    deny                             Low                                                                            4
2         any     any                      svc-dhcp  permit             Yes           Low                                                                            4
3         any     any                      svc-dns   permit             Yes           Low                                                                            4
4         any     any                      svc-natt  permit                           Low                                                                            4
5         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                                            4
6         any     240.0.0.0 240.0.0.0      any       deny                             Low                                                                            4
captiveportal
-------------
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8                 021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -                 ----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                                            4
2         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                                            4
3         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                                            4
4         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                                            4
5         user    any          svc-http         dst-nat 8080                           Low                                                                            4
6         user    any          svc-https        dst-nat 8081                           Low                                                                            4

 

MVP
Posts: 727
Registered: ‎03-25-2009

Re: Captive Portal with Firefox

thats's done on clearpass, not in your aruba-user-role.

Check out /tips » Administration » Server Manager » Server Configuration - <server> - network tab - Application Access Control.

Here you can limit non-mgmt subnets from accessing the different cppm resources.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Re: Captive Portal with Firefox

Hi

 

Also, How can  I force the client to be connected for more time. For example Ipad´s or Iphones or Androids connected to the guest via Captive Portal ( Clearpass).

 

After a while users get the ask for credentials again.

 

Regards

MVP
Posts: 727
Registered: ‎03-25-2009

Re: Captive Portal with Firefox

[ Edited ]

They get presented the logon page asking for their credentials again after the user idle timeout has passed without any activity from the client. By default this is 5 minutes.

So you could just increase this user-idle-timeout but that is the bad solution. So please don't do this.

 

The correct (and easy) solution, certainly when you have clearpass, would be to use mac authentication.

With mac authentication the first authentication would still be the user authentication on the captive portal you served them. Later authentications however would simply use mac authentication. 

 

To give you a headstart, you can configure guest user authentication (with mac caching)  on clearpass by using a wizard:

/tips > Configuration » Start Here. At the bottom somewhere you should have a "Guest MAC Authentication" service template. It will help you configure clearpass to do what I just explained.

 

On the aruba side your aaa profile (with pre-logon initial role) will also have to be configured for mac-authentication.

 

The result will be that all your guest clients will be able to use mac authentication after the initial logon. If you would like to permit mac-authentication only for smartdevices, this is certainly also possible.

 

This should hopefully get you started. If not, I'm hopefull we'll hear from you again :smileywink:

 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Re: Captive Portal with Firefox

[ Edited ]

Hi Thanks for helping.

 

Ok I have configured Guest-mac authentication on Clearpass.

 

I have a working guest service and now i have also authentication at the end ( see attached). 3 already exists and its working and now we have added 8 and 9 after the config that you said.

 

In AAA profile i have:

 

#show aaa profile cppm_guest

AAA Profile "cppm_guest"
------------------------
Parameter                           Value
---------                           -----
Initial role                        CPG-Login
MAC Authentication Profile          default
MAC Authentication Default Role     guest
MAC Authentication Server Group     CPPM_SRV
802.1X Authentication Profile       N/A
802.1X Authentication Default Role  guest
802.1X Authentication Server Group  N/A
L2 Authentication Fail Through      Disabled
User idle timeout                   N/A
RADIUS Accounting Server Group      CPPM_SRV
RADIUS Interim Accounting           Enabled
XML API server                      N/A
RFC 3576 server                     10.200.102.250
User derivation rules               N/A
Wired to Wireless Roaming           Enabled
SIP authentication role             N/A
Device Type Classification          Enabled
Enforce DHCP                        Disabled

 

IS this ok?

 

 How can i test and see if Cache is being made?

 

Regards

MVP
Posts: 727
Registered: ‎03-25-2009

Re: Captive Portal with Firefox

Simply connect to the portal and authenticate. Then kick off this user from the controller (aaa user delete ...).

It may take a minute for insight to get updated of the new mac address though so you might give it a minute before kicking him off.

 

It should return immediately by using mac-athentication

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor II
Posts: 202
Registered: ‎01-30-2013

Re: Captive Portal with Firefox

Hi,

 

it goes back again to the portal.

 

I disconnected the user in the controller? shoud I blacklist and then unblock?

 

THe service number 3 on the word file is the one that is working. Service 8and 9 work in pair with the 3 correct?

 

Regards

MVP
Posts: 727
Registered: ‎03-25-2009

Re: Captive Portal with Firefox

[ Edited ]

no need to blacklist. the session just needs to be gone.. aaa user delete does the trick.

You do not have a word doc attached that I can look at by the way. oh, there it is.

 

Guest with mac caching should be using just 2 services though.. one to catch the user auth and cache the mac address. The second to do the mac-auth.

 

Service 8 and 9 work in pairs, 3 is no longer required.

I'm guessing service 3 is the standard guest auth service without caching. You want to disable that so the user auth uses your service 9 so it caches the mac address. 

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: