Security

Reply
Contributor I
Posts: 29
Registered: ‎08-02-2013

ClearPass ArubaOS integration

Hi All,


This is my first Aruba/Clearpass deployment. I'm trying to set up the intregration between my controller and ClearPass (external captive portal) and believe to have resolved most issues regarding the configuration of the controller. The controller does seem to attempt a redirect and traffic is passed on to the Clearpass box. I ran into issues with a redirection loop and also came across a NAT-issue, both believed to have been resolved.

 

I still can't see the login page that I have specified in the Captive Portal configuration.

 

The controller has one interface in the same subnet as the ClearPass box. I have created a firewall policy (below) and enable source NAT on the interface.

 

user host 10.46.x.y svc-https src-nat pool dmz-interface log

 

where the IP-address specified is that of the ClearPass box. The NAT-pool consist of one IP-address which is the same as the controller's interface on that subnet.

 

I'm still not able to open up a browser on my test laptop and point it to https://10.46.x.y/ will result in an error "page can not be displayed". If I point my browser to https://1.1.1.1 and see that a redirect is attempted URL is changed in browser.

 

Could someone please tell me how to proceed in my quest (to at least be presented with a login page generated from ClearPass)? First off, of course, any hint on troubleshooting this issue would be very welcome!

 

Best regards,
Fredrik

 

 

Super Contributor II
Posts: 368
Registered: ‎09-05-2012

Re: ClearPass ArubaOS integration

[ Edited ]

Hey,

 

I can't really suggest what could be causing the issue.

 

But one troubleshooting tool I can recommend to you is the command below. Issue it on your controller:

show datapath session table <ip address> (ip of your test laptop)

 This is perfect to attempting to identify access issues and might shed some light on what is preventing the page from being displayed properly.

 

It will show exactly what your test laptop is attempting to access and will show what is being denied.

 

Cheers

Guru Elite
Posts: 20,015
Registered: ‎03-29-2007

Re: ClearPass ArubaOS integration


frekn0 wrote:

Hi All,


This is my first Aruba/Clearpass deployment. I'm trying to set up the intregration between my controller and ClearPass (external captive portal) and believe to have resolved most issues regarding the configuration of the controller. The controller does seem to attempt a redirect and traffic is passed on to the Clearpass box. I ran into issues with a redirection loop and also came across a NAT-issue, both believed to have been resolved.

 

I still can't see the login page that I have specified in the Captive Portal configuration.

 

The controller has one interface in the same subnet as the ClearPass box. I have created a firewall policy (below) and enable source NAT on the interface.

 

user host 10.46.x.y svc-https src-nat pool dmz-interface log

 

where the IP-address specified is that of the ClearPass box. The NAT-pool consist of one IP-address which is the same as the controller's interface on that subnet.

 

I'm still not able to open up a browser on my test laptop and point it to https://10.46.x.y/ will result in an error "page can not be displayed". If I point my browser to https://1.1.1.1 and see that a redirect is attempted URL is changed in browser.

 

Could someone please tell me how to proceed in my quest (to at least be presented with a login page generated from ClearPass)? First off, of course, any hint on troubleshooting this issue would be very welcome!

 

Best regards,
Fredrik

 

 


Why are you source-natting at all?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 29
Registered: ‎08-02-2013

Re: ClearPass ArubaOS integration

Great! Thx! This was one thing I was looking for! 

 

172.18.46.2     10.46.x.x    6    63078 443    0/0     0 0   1   tunnel 81   1b   2         104        SYC
172.18.46.2     10.46.x.x    6    63076 443    0/0     0 0   1   tunnel 81   30   0         0          SYC
172.18.46.2     10.46.x.x    6    63077 443    0/0     0 0   1   tunnel 81   30   0         0          SYC

 

Seems like src-nat is applied as I thought and hoped. Big question being what ClearPass is doing with the traffic. I can expect it to respond to a https session from a client even if I haven't completed the ClearPass side of the configuration? I'm kind of thrown by the old GUI used in the integration guide (Amigopod ArubaOS integration) and figured I wanted to resolve this first...

 

Best regards,

Fredrik 

Contributor I
Posts: 29
Registered: ‎08-02-2013

Re: ClearPass ArubaOS integration

Good point. I first started off trying to figure out how to configure a static route to the 172.18-range that I use (on the controller) for guest dhcp. When I couldn't figure that out, I went on to try src-nat. 

 

Without src-NAT I noticed that the return traffic (from Clearpass) was sen't to the default gateway for the 10.46.x.x. subnet.

 

What are my options here?

Contributor I
Posts: 29
Registered: ‎08-02-2013

Re: ClearPass ArubaOS integration

Hi All,

 

 

 

I have done some more (damage) digging into my current issue. Perhaps this will give someone more ideas as to what I'm doing wrong. 

 

I placed a host on the same subnet 10.46.x.x and used a free IP-address to test connetivity from the test-laptop (172.18.46.2) connected to the guest-SSID that I'm trying to configure. I updated the firewall policy to allow traffic to the new host.

 

!
ip access-list session amigopodnew
  user host 10.46.x.c any  src-nat pool dmz-interface log
  user host 10.46.x.c svc-https  src-nat pool dmz-interface log
  user host 10.46.x.z any  src-nat pool dmz-interface log
!

 

Started a tcpdump on the new host (10.46.x.z) and filtered traffic to only show packets from the controller (src-nat 10.46.x.y). I can see packets recieved from the controller:

 

root@sto-ubuntu01:~# tcpdump -s0 -n -vvv host 10.46.x.y
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
12:57:31.407772 IP (tos 0x0, ttl 127, id 18317, offset 0, flags [DF], proto TCP (6), length 52)
    10.46.x.y.61836 > 10.46.x.z.443: Flags [S], cksum 0xeedc (correct), seq 3007221762, win 8192, options [mss 1386,nop,wscale 8,nop,nop,sackOK], length 0
12:57:31.407815 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 52)

However, a session is not established with the test laptop. Same result if I try to ping the host from the laptop. I went on to check that I'm able to browse the Aruba_welcome.php on the ClearPass box from the new host. 

 

root@sto-ubuntu01:~# wget https://10.46.x.c/Aruba_welcome.php --no-check-certificate
--2013-08-22 12:13:19--  https://10.46.x.c/Aruba_welcome.php
Connecting to 10.46.x.c:443... connected.
WARNING: cannot verify 10.46.x.c's certificate, issued by `/CN=sto-pma02/O=PolicyManager':
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `Aruba_welcome.php'

    [ <=>                                   ] 7,305       --.-K/s   in 0s

2013-08-22 12:13:20 (35.5 MB/s) - `Aruba_welcome.php' saved [7305]

I then moved on to temporary disconnect the ClearPass box from the subnet (in ESX) and re-used it's IP address on the new host to ensure traffic from the client is recieved. Tcpdump showed packets recieved from the controller. I also set up a netcat listener on port 443 for giggles, but as expected a session was not established from the test laptop. 

 

Something is going wrong with the return traffic, so I guess I should refocus my efforts back to the controller. Is the Captive Portal configuration, faulty or not, preventing tests like this or does the above give you any ideas on what to test next? 

 

 

Guru Elite
Posts: 20,015
Registered: ‎03-29-2007

Re: ClearPass ArubaOS integration

Frekn0,

 

Let's start from scratch:

 

 

Do you have a network diagram of your setup?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 29
Registered: ‎08-02-2013

Re: ClearPass ArubaOS integration

Sorry, should have included it from the befinning. I have put together a quick diagram for you (attached). Will expand on it as needed.

 

Thanks,

Fredrik

Guru Elite
Posts: 20,015
Registered: ‎03-29-2007

Re: ClearPass ArubaOS integration

What subnet are your users on?

What subnet is the clearpass server on?

Can't they just use routing to reach the clearpass server instead of nat?

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor I
Posts: 29
Registered: ‎08-02-2013

Re: ClearPass ArubaOS integration

Guest users are assigned IP from dhcp-pool (172.18.46.0/24) on the controller - is that what you meant? 

ClearPass server is on the 10.46.x.-subnet, to which interface 1/0 of the controller is also connected. 

I started off without NAT, but since ClearPass will send return traffic to clients from 172.18.46.0/24 via its default gateway and I don't route that subnet in the firewall (see diagram), I wanted to try NAT. I could go back to a config without NAT and see what happens? 

Search Airheads
Showing results for 
Search instead for 
Did you mean: