Security

Reply
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Cisco Wired Guest Webauth Service Question

Hi:

I'm trying to get wired captive portal guest access working with a Cisco switch.

I realize this needs two services. The initial mac-auth service is working fine... returning the redirect-url and redirect-url-acl to the switch.

 

But I'm having problems with the captive portal.

We are browsing to http://<clearpassIP>/guest/ciscowiredguest.php?mac=11:22:33:44:55:66, and that brings up the login form.

But when I enter a known guest account and click submit, Access Tracker shows a REJECT. The message is: "Failed to classify request to service" The autentication attempt comes in with just the user name - no other info.

 

I have an active service of type "Web-based Authentication" and the rule is:

Host - Checktype - MATCHES_ANY - Authentication.

 

Is there some other rule I need to make this work?

Is there a special configuration needed for the captive portal login page?

Am I correct in understanding that the switch is not involved in this part of the transaction (until it succeeds, of course, at which point it gets a CoA Terminate session)?

 

Thanks.

 

 

MVP
Posts: 4,238
Registered: ‎07-20-2011

Re: Cisco Wired Guest Webauth Service Question

How do you have your Captive Portal Page login method configured ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Cisco Wired Guest Webauth Service Question

I've tried several different options...

right now it's set to:

Vendor Settings: Cisco Systems

Login method: Server Initiated - Change of Authorization (RFC 3576) sent to controller.

 

What should it be set to?

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Cisco Wired Guest Webauth Service Question

That is correct. Do you have a WEBAUTH service?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Cisco Wired Guest Webauth Service Question

Yes.

Here's a screenshot of how it's configured.

Guru Elite
Posts: 8,337
Registered: ‎09-08-2010

Re: Cisco Wired Guest Webauth Service Question

Hm, definitely should be matching that.

Please post a few screenshots of the access tracker request tabs.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 38
Registered: ‎03-30-2016

Re: Cisco Wired Guest Webauth Service Question

Thanks for all your help.

 

I found the Webauth service problems: I had inadvertantly selected a Pre-Auth-Check parameter in the guest login page.

Once I set that to "None-no extra checks will be made," the webauth service is being hit successfully.

 

Thank you.

Search Airheads
Showing results for 
Search instead for 
Did you mean: