Security

Hi All,

This is my first Aruba/Clearpass deployment. I'm trying to set up the intregration between my controller and ClearPass (external captive portal) and believe to have resolved most issues regarding the configuration of the controller. The controller does seem to attempt a redirect and traffic is passed on to the Clearpass box. I ran into issues with a redirection loop and also came across a NAT-issue, both believed to have been resolved.

I still can't see the login page that I have specified in the Captive Portal configuration.

The controller has one interface in the same subnet as the ClearPass box. I have created a firewall policy (below) and enable source NAT on the interface.

user host 10.46.x.y svc-https src-nat pool dmz-interface log

where the IP-address specified is that of the ClearPass box. The NAT-pool consist of one IP-address which is the same as the controller's interface on that subnet.

I'm still not able to open up a browser on my test laptop and point it to https://10.46.x.y/ will result in an error "page can not be displayed". If I point my browser to https://1.1.1.1 and see that a redirect is attempted URL is changed in browser.

Could someone please tell me how to proceed in my quest (to at least be presented with a login page generated from ClearPass)? First off, of course, any hint on troubleshooting this issue would be very welcome!

Best regards,
Fredrik

Hey,

I can't really suggest what could be causing the issue.

But one troubleshooting tool I can recommend to you is the command below. Issue it on your controller:

show datapath session table <ip address> (ip of your test laptop)

 This is perfect to attempting to identify access issues and might shed some light on what is preventing the page from being displayed properly.

It will show exactly what your test laptop is attempting to access and will show what is being denied.

Cheers

Great! Thx! This was one thing I was looking for! 

172.18.46.2     10.46.x.x    6    63078 443    0/0     0 0   1   tunnel 81   1b   2         104        SYC
172.18.46.2     10.46.x.x    6    63076 443    0/0     0 0   1   tunnel 81   30   0         0          SYC
172.18.46.2     10.46.x.x    6    63077 443    0/0     0 0   1   tunnel 81   30   0         0          SYC

Seems like src-nat is applied as I thought and hoped. Big question being what ClearPass is doing with the traffic. I can expect it to respond to a https session from a client even if I haven't completed the ClearPass side of the configuration? I'm kind of thrown by the old GUI used in the integration guide (Amigopod ArubaOS integration) and figured I wanted to resolve this first...

Best regards,

Fredrik 

Hi All,

I have done some more (damage) digging into my current issue. Perhaps this will give someone more ideas as to what I'm doing wrong. 

I placed a host on the same subnet 10.46.x.x and used a free IP-address to test connetivity from the test-laptop (172.18.46.2) connected to the guest-SSID that I'm trying to configure. I updated the firewall policy to allow traffic to the new host.

!
ip access-list session amigopodnew
  user host 10.46.x.c any  src-nat pool dmz-interface log
  user host 10.46.x.c svc-https  src-nat pool dmz-interface log
  user host 10.46.x.z any  src-nat pool dmz-interface log
!

Started a tcpdump on the new host (10.46.x.z) and filtered traffic to only show packets from the controller (src-nat 10.46.x.y). I can see packets recieved from the controller:

root@sto-ubuntu01:~# tcpdump -s0 -n -vvv host 10.46.x.y
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:57:31.407772 IP (tos 0x0, ttl 127, id 18317, offset 0, flags [DF], proto TCP (6), length 52)
    10.46.x.y.61836 > 10.46.x.z.443: Flags [S], cksum 0xeedc (correct), seq 3007221762, win 8192, options [mss 1386,nop,wscale 8,nop,nop,sackOK], length 0
12:57:31.407815 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)

However, a session is not established with the test laptop. Same result if I try to ping the host from the laptop. I went on to check that I'm able to browse the Aruba_welcome.php on the ClearPass box from the new host. 

root@sto-ubuntu01:~# wget https://10.46.x.c/Aruba_welcome.php --no-check-certificate
--2013-08-22 12:13:19--  https://10.46.x.c/Aruba_welcome.php
Connecting to 10.46.x.c:443... connected.
WARNING: cannot verify 10.46.x.c's certificate, issued by `/CN=sto-pma02/O=PolicyManager':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `Aruba_welcome.php'

    [ <=>                                   ] 7,305       --.-K/s   in 0s

2013-08-22 12:13:20 (35.5 MB/s) - `Aruba_welcome.php' saved [7305]

I then moved on to temporary disconnect the ClearPass box from the subnet (in ESX) and re-used it's IP address on the new host to ensure traffic from the client is recieved. Tcpdump showed packets recieved from the controller. I also set up a netcat listener on port 443 for giggles, but as expected a session was not established from the test laptop. 

Something is going wrong with the return traffic, so I guess I should refocus my efforts back to the controller. Is the Captive Portal configuration, faulty or not, preventing tests like this or does the above give you any ideas on what to test next? 

Frekn0,

Let's start from scratch:

Do you have a network diagram of your setup?

Sorry, should have included it from the befinning. I have put together a quick diagram for you (attached). Will expand on it as needed.

Thanks,

Fredrik

What subnet are your users on?

What subnet is the clearpass server on?

Can't they just use routing to reach the clearpass server instead of nat?

Guest users are assigned IP from dhcp-pool (172.18.46.0/24) on the controller - is that what you meant? 

ClearPass server is on the 10.46.x.-subnet, to which interface 1/0 of the controller is also connected. 

I started off without NAT, but since ClearPass will send return traffic to clients from 172.18.46.0/24 via its default gateway and I don't route that subnet in the firewall (see diagram), I wanted to try NAT. I could go back to a config without NAT and see what happens? 

Is the controller the default gateway for 172.18.46.0/24? What is the default gateway for the ClearPass Box?  Whatever the router or default gateway is for the clearpass box, can you  put a static route on that device for the 172.18.46.0/24 subnet and point it to the ip address of the controller so that traffic can be returned to it?

The controller is the default gateway for 172.18.46.0/24 , the default gateway for the ClearPass box is set to the firewall (in diagram). I will get craking on configuring the required routing/rules on the firewall to handle the return traffic.

In the meantime, I have a similar test set up using the new host mentioned earlier (10.46.x.z). Since I have shell on that box, I'm able to add a static route for 172.18.46.0/24 pointing to the IP of the controller (10.46.x.c). This should send traffic back to the test laptop via the controller.

root@sto-ubuntu01:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

172.18.46.0     10.46.x.c    255.255.255.0   UG        0 0          0 eth0

Using tcpdump I can see the packets sent from the test-laptop and verify that no NAT is in effect, but nothing is returned to the test-laptop? 

root@sto-ubuntu01:~# tcpdump not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

15:58:49.565224 IP 172.18.46.2 > sto-ubuntu01: ICMP echo request, id 1, seq 213, length 40
15:58:49.565252 IP sto-ubuntu01 > 172.18.46.2: ICMP echo reply, id 1, seq 213, length 40

 What about routing internally on the controller?

Have been reading up on this. To provide a bit more context, the configuration is similar to the one attached with the addition of a ClearPass box placed on the 10.1.100.0 subnet. The ClearPass box would then have it's default gateway set to gateway of that subnet - which is a firewall device. 

Hi All,

Just wanted to make sure I added the resolotion to my little challenge - sorry it took me so long :(

The problem was that I had only enabled Inter-VLAN routing for one of the involved vlans. I needed a second pair of eyes to find it.

Best regards,
Fredrik

---

@frekn0 wrote:

Hi All,

This is my first Aruba/Clearpass deployment. I'm trying to set up the intregration between my controller and ClearPass (external captive portal) and believe to have resolved most issues regarding the configuration of the controller. The controller does seem to attempt a redirect and traffic is passed on to the Clearpass box. I ran into issues with a redirection loop and also came across a NAT-issue, both believed to have been resolved.

 

I still can't see the login page that I have specified in the Captive Portal configuration.

 

The controller has one interface in the same subnet as the ClearPass box. I have created a firewall policy (below) and enable source NAT on the interface.

 

user host 10.46.x.y svc-https src-nat pool dmz-interface log

 

where the IP-address specified is that of the ClearPass box. The NAT-pool consist of one IP-address which is the same as the controller's interface on that subnet.

 

I'm still not able to open up a browser on my test laptop and point it to https://10.46.x.y/ will result in an error "page can not be displayed". If I point my browser to https://1.1.1.1 and see that a redirect is attempted URL is changed in browser.

 

Could someone please tell me how to proceed in my quest (to at least be presented with a login page generated from ClearPass)? First off, of course, any hint on troubleshooting this issue would be very welcome!

 

Best regards,
Fredrik

 

 

---

Why are you source-natting at all?

Good point. I first started off trying to figure out how to configure a static route to the 172.18-range that I use (on the controller) for guest dhcp. When I couldn't figure that out, I went on to try src-nat. 

Without src-NAT I noticed that the return traffic (from Clearpass) was sen't to the default gateway for the 10.46.x.x. subnet.

What are my options here?