Security

Reply

ClearPass Guest Redirect Loop Issue

Hi AirHeads,

 

I need some help with a captive portal redirect loop issue, here is our setup:

 

7210 controller and ClearPass

- Preauth role configured with the following ACLs

pre-authacl.png

 

- Captive portal profile configured with https://wifi.customer.com/guest/register.php

- Guest registration page (link above) is configured and reachable when on the LAN

- Guest WiFi is getting DHCP from controller and using public DNS servers. The public DNS has a record for "wifi.customer.com" that points to the private FQDN of the clearpass server. 

- The firewall is the gateway for the users

 

We connect to Guest WiFi and get an IP address. We open browser and get redirected to page, but get error - Too many redirects

 

Not sure where the redirects are happening, I need some insight here. It's a bit of a complicated setup, customer's requirements, but causing some problems on my end.

 


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: ClearPass Guest Redirect Loop Issue

Move the allow to the top of the list


Thanks,
Tim

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Guest Redirect Loop Issue

I moved it to the top and now I get timeouts for the HTTP_GET. Doesn't say redirect loop just doesn't load now.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com

Re: ClearPass Guest Redirect Loop Issue

while on the LAN with the internal DNS servers, I can resolve the page no problem. When I use the public DNS servers, even though the address is technically public, it times out or says redirect loop.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: ClearPass Guest Redirect Loop Issue

And the ClearPass server is routable from the guest network?

 

Can you ping it from a guest client?

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Guest Redirect Loop Issue

Yeah, I can ping the Guest VLAN interface on the controller and I can ping the ClearPass IP. I tested the DNS server by statically assigning it while on the LAN and I can resolve the address. Something between the redirect and the public DNS resolution gets funny, but not sure what/where.

 

could it be a problem having all the info appended at the end of the url?


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: ClearPass Guest Redirect Loop Issue

Is your allow https to ClearPass ACL referencing a DNS name or IP address?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Guest Redirect Loop Issue

it is the IP address of the clearpass publisher and subscriber.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Guru Elite

Re: ClearPass Guest Redirect Loop Issue

Just for the sake of troubleshooting, can you change the client to internal DNS and see if you are redirected?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Guest Redirect Loop Issue

Configured internal DNS for Guest device, cannot get to the splash page. Added Allowall ACL to the pre-auth role, cannot get to splash page OR to any external websites.

 

I'm leaning toward a routing issue now. Customer just built new VLAN for Guest network and routing may not be working from Guest VLAN or from firewall.


Thank you.

Michael Haring | AIS Consultant
Architecture and Implementation Solutions
Optiv Security Inc. | www.optiv.com
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: