Security

Hi,

 

I try to depoloy the ClearPass with Cisco WLC, so that when user connect to the wifi, it will redirect to Clear Pass captive portal for authentication.

   - Clear Pass IP address: 192.168.1.210/23

   - Cisco WLC IP address: 192.168.0.56/23

   - GW: 192.168.0.1/23

 

When connect to the wifi, and try to access google.com. it can redirect to the Clear Pass captive portal; however, after login successful, it does not redirect to google.com, it redirect to Cisco WLC IP address, and cannot browse website. When I try to access google.com again. it also redirect to Clear Pass captive portal again and again as a loop. 

 

The setting for Cisco WLC and Clear Pass as attachment.

 

Thanks a lot for your help.

Kevin

Hi,

I DropBoxed a folder with importent info for u. (Link at the bottom of this post)

Please download - and read a bit

here is the link: (might contain duplicate docs - but importent and helpful info)

https://www.dropbox.com/sh/ofjoxg394v9f9tg/eTkB1DEVV8

 

Let us know - if u figure where is your mis-configurtion.

 

have a gr8 day.

 

me

Hi kdisc98,

 

The document is for Aruba Wireless integrate with ClearPass, but on my scenario, it use Cisco Wireless Controller 2504 instead of Aruba Wireless Contoller. And on this part as attachment, I'm not sure which IP address I need to specify for the correct one, if I put ClearPass IP address, it will redirect to ClearPass welcome page after guest login sucessful, not rediect to google.com as I type on the web page. If I put Cisco WLC IP address, it cannot browse to any web page although guest login sucessful.

 

Regards,

kevin

Please read here: (thoese are CCPM to CIsco docs)

https://www.dropbox.com/s/0vjcivcxmc5xe0f/Cisco%20Switch%20Setup%20with%20CPPM-v1.2.pdf

 

You need to configure more things (not only Guest portal)

 

You might useful info,also here:

ftp://ftp.dell.com/Manuals/all-products/esuprt_ser_stor_net/esuprt_powerconnect/powerconnect-w-clearpass-100-software_User%27s%20Guide7_en-us.pdf

 

Can u please send your access tracker logs (is there any errors after you trying to login via the captive?)

please help to resend the link :)

Your service that you have in your attachments is for mac auth. Do you have the service for web-auth? What version of CPPM do you have?

Hi kdisc98,

 

The access tracker logs is nothing display.

 

Hi sdr53,

 

Can you tell me what service I need to configure for the cisco wlc authentication as attachment, because before I try the 802.1x Wireless service, but the error still same as I mention above. Now I'm using ClearPass Policy Manager 6.3.0.60730 version.

 

Thanks

Kevin

Is this for an open authentication network with mac caching?

You can just use the generic radius type. Then use the service rules so they are radius NAD IP address = IP address of controller.

Then if you do mac caching you need a service that will check the MAC address. I think you had that service posted in original post.

Ps you might want to upgrade to 6.2.4. You can then have central web-auth. (Like cisco ISE).

Hi sdr53,

 

So the configuration as attachment is correct?

 

Now the version for CPPM is 6.3.0.60730, so what you mean need to upgrade to 6.2.4, is it downgrade or upgrade?

Ok that's good. Yes that is your mac auth service. You'll need to make a web authentication service to to CWA. Then build the guest self registration out in clearpass guest. Once that is complete your enforcment policy should be built out.

You will need an enforcment policy that includes the URL to your guest registration. And apply the acl for redirection.

This is pretty basic not sure if your SE can assist you better than I can. I

Hello Kevin

 

Many different solutions here and I'm sure you're just as confused as when you started.

These are two decent ways of implementing Guest access:

 * Controller initiated - this is the most normal usecase and authentication is done by your client doing a http post towards the login.html of the Controller. Works on all Aruba WLC's and All Cisco WLC's except 3850/5760 using IOS XE

 * Server initiated - this involves MAC-authentication and Radius CoA and is quite confusing to implement. The documents listed in previous post in regards of Wired Cisco is all about this, but they are not complete so try the first method before trying this. This method is a requirement for Cisco WLC using IOS XE (3850/5760).

 

Controller initated works more or less right out of the box with ClearPass when using Cisco 2504 WLC on 7.6.x

 * Click Configuration - Start here

 * Select the Guest Access template, go through and fill in the variables. Save..

Make sure this new template is above the old ones you've created.

 

Since you're using self-registration there is no need for a pre-auth (webauth) service, but with a normal web-login you have a Radius or Local pre-auth and need to create a service for this.

 * Click Configuration - Start here

 * Select the Guest Access Web Login template, go through and fill in the variables. Save..

 * Move this template above the other Guest template just to keep things clean.

 

In Guest

• Under Authentication change the NAS Type to Cisco Systems (RFC3756 support)
• In the login use 

For the Cisco setup you should just google for "cisco wlc external web auth" and find the multiple guides that exist out there (not CWA as this use CoA and mac-auth). You can follow a guide using Cisco ISE

 

 On the Cisco:

* Create your pre-auth ACL "web_auth" (Security - Access Controll Lists) more or less like this:

• Permit 0.0.0.0/0 - 192.168.1.210/23
• Permit 192.168.1.210/23 -> 0.0.0.0/0

 

Define your AAA servers

* Security - RADIUS - Authentication

• Call Station Type: "System MAC address"
• MAC Delimiter: "Colon"
• Add the 192.168.1.210 with shared secret and RFC 3576 enabled

* Security - RADIUS - accounting

• Add 192.168.1.210 - with MAC delimiter "Colon"

Create your WLAN and edit the SSID to your liking, selec the appropriate interface

Edit the NAS-ID to something - if you want to use that in the CPPM Service later

 

* Security

• Layer 2 - none
• Layer 3 - Web Policy (authentication), preauth ACL = "web_auth"
• Enable "over-ride global congi" - External (= redirect to external server)

1. URL = Input your clearpass redirect URL here

• AAA servers, server 1: 192.168.1.210 (Auth and Acc)

Advanced

• DHCP addr. assignment required

 

Try it out and let us know how it turns out.

Hi sdr35 and jsolb,

 

It can work already, the problem is I change the IP address from 1.1.1.1 to Cisco WLC IP address, so after it login successful, it not redirect to Internet.

 

Thank you so much for your help ^ ^

What is your alerts on access tracker?

If you have no access tracker. Make sure you have https enabled on controller or set clearpass to use http (clear text).

You should use 1.1.1.1 (or whatever you have set as virtual ip).

Hi,

 

I face this issue, after user connect to the SSID, by default it will redirect to the ClearPass captive portal. However, it redirect to the Cisco WLC virtual IP address first (1.1.1.1), after user  click Proceed Any Way on the Chrome browser, then it just can redirect to the ClearPass Captive Portal web page. After login sucessful, it prompt the WLC login sucessful web page for a while then disappear. So how can we configure to redirect to the ClearPass IP first, no more to go to Cisco WLC, and how we can configure the user logout page?

 

Thanks

Hello Kevin

 

Thought you had this fixed? 

 

So you're saying this is the current flow:

 

1. User connects to Guest-ssid

2. Tries to browse and is redirected to 1.1.1.1 (Cisco) and here gets a certificate error

3. User clicks continue, and is then redirected to CP on ClearPass

4. Logs in on ClearPass Captive Portal, is redirected to the login-page on WLC and stops there.

 

Try to do this using only http first - just to eliminate any https nasties that usually follows in the intial setup process.. I think that is why you see the error message on nr 2. You will need a valid SSL certificate installed on ClearPass that matches the FQDN you are redirected to, or just leave it to http.

 -> Go to Guest / Configuration / Authentication - remove checkbox for "Require HTTPS for guest access"

 

On the WLC you will need to manually input the page you want to be redirected to after successful login. In the 7.x GUI you do this on the same place where you input the External redirect login page:

 Security > Web Auth > Web Login Page

Change the "Redirect URL after login" to the page you want to redirect the users to by default. I don't know a way to let them get to their initial url on Cisco.

 

In this place you also define the logout page.

 

As refernce you could just find a guide that use Cisco ISA and Cisco WLC - and do normal webauth (not CWA/MAB). That should get you to where you need to be. The config on ClearPass seems to be correct on your part.

 

This might give you some more pointers on the WLC side of the configuration:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

 

 

 Hi joslb,

 

I've followed your instruction -> Go to Guest / Configuration / Authentication - remove checkbox for "Require HTTPS for guest access"; however, after I login successful from captive portal, it cannot redirect to any webpage. After change back, it come back as you mention before:

1. User connects to Guest-ssid

2. Tries to browse and is redirected to 1.1.1.1 (Cisco) and here gets a certificate error

3. User clicks continue, and is then redirected to CP on ClearPass

 

 

And, afetr log in on ClearPass Captive Portal, one LOGOUT webpage appear with IP address1.1.1.1, can we change this 1.1.1.1 IP address to hostname or don't make this webpage display?

It looks like 1.1.1.1 is OK for you to use in this scenario, you will have to change that if you change on the WLC. You can also use hostname/fqdn as long as this is resolvable from the client.

 

Is 192.168.0.56 the IP-adress the WLC will communicate Radius traffic from?

 

What you explain here is usually the case when the Radius authentication doesn't go through. Do you get anything in the Access Tracker? If yes - what do you get?

 

 

 

If you uncheck require HTTPS, you must also adjust the settings on the WLC. 

 

You have to allow HTTP and set WebAuth SecureWeb to Disabled. See the attached screen shot. Config --> Management --> HTTP-HTTPS

 

For me it was a little bit difficult to set this up. I have written a PDF on this issue, and I hope it will help others, that ran into the issue using Cisco external web authentication alone with Aruba Clearpass.

Well written Bo - thanks for sharing!!

Hi Bon,

I have integrated clearpass with Cisco WLC. When we connected to the SSID then redirected to  guest login network login page, after login the page stuck at 1.1.1.1/login.html? as per below snap. Could you please help on this. Thanks



Error Snap:


Original Message:
Sent: Oct 10, 2016 09:07 AM
From: Unknown User
Subject: Clear Pass integrate with Cisco WLC

For me it was a little bit difficult to set this up. I have written a PDF on this issue, and I hope it will help others, that ran into the issue using Cisco external web authentication alone with Aruba Clearpass.

You are commenting on a thread from 2016 (6 years ago!).  Please consider starting a new community post for your issue.  Also as a step one do NOT use 1.1.1.1.  That is a routable IP address (specifically CloudFlare).  Please update it to use 192.0.2.1.
Original Message:
Sent: Jun 22, 2022 06:17 AM
From: Nilesh Wagh
Subject: Clear Pass integrate with Cisco WLC

Hi Bon,

I have integrated clearpass with Cisco WLC. When we connected to the SSID then redirected to  guest login network login page, after login the page stuck at 1.1.1.1/login.html? as per below snap. Could you please help on this. Thanks



Error Snap:


Original Message:
Sent: Oct 10, 2016 09:07 AM
From: Unknown User
Subject: Clear Pass integrate with Cisco WLC

For me it was a little bit difficult to set this up. I have written a PDF on this issue, and I hope it will help others, that ran into the issue using Cisco external web authentication alone with Aruba Clearpass.