Security

Reply

ClearPass Guest Redirect Loop Issue

Hi AirHeads,

 

I need some help with a captive portal redirect loop issue, here is our setup:

 

7210 controller and ClearPass

- Preauth role configured with the following ACLs

pre-authacl.png

 

- Captive portal profile configured with https://wifi.customer.com/guest/register.php

- Guest registration page (link above) is configured and reachable when on the LAN

- Guest WiFi is getting DHCP from controller and using public DNS servers. The public DNS has a record for "wifi.customer.com" that points to the private FQDN of the clearpass server. 

- The firewall is the gateway for the users

 

We connect to Guest WiFi and get an IP address. We open browser and get redirected to page, but get error - Too many redirects

 

Not sure where the redirects are happening, I need some insight here. It's a bit of a complicated setup, customer's requirements, but causing some problems on my end.

 


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Guru Elite

Re: ClearPass Guest Redirect Loop Issue

Move the allow to the top of the list


Thanks,
Tim

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Guest Redirect Loop Issue

I moved it to the top and now I get timeouts for the HTTP_GET. Doesn't say redirect loop just doesn't load now.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0

Re: ClearPass Guest Redirect Loop Issue

while on the LAN with the internal DNS servers, I can resolve the page no problem. When I use the public DNS servers, even though the address is technically public, it times out or says redirect loop.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Guru Elite

Re: ClearPass Guest Redirect Loop Issue

And the ClearPass server is routable from the guest network?

 

Can you ping it from a guest client?

 


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Guest Redirect Loop Issue

Yeah, I can ping the Guest VLAN interface on the controller and I can ping the ClearPass IP. I tested the DNS server by statically assigning it while on the LAN and I can resolve the address. Something between the redirect and the public DNS resolution gets funny, but not sure what/where.

 

could it be a problem having all the info appended at the end of the url?


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Guru Elite

Re: ClearPass Guest Redirect Loop Issue

Is your allow https to ClearPass ACL referencing a DNS name or IP address?


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Guest Redirect Loop Issue

it is the IP address of the clearpass publisher and subscriber.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Guru Elite

Re: ClearPass Guest Redirect Loop Issue

Just for the sake of troubleshooting, can you change the client to internal DNS and see if you are redirected?


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480

Re: ClearPass Guest Redirect Loop Issue

Configured internal DNS for Guest device, cannot get to the splash page. Added Allowall ACL to the pre-auth role, cannot get to splash page OR to any external websites.

 

I'm leaning toward a routing issue now. Customer just built new VLAN for Guest network and routing may not be working from Guest VLAN or from firewall.


Michael Haring
ACMP, ACCP, BCNE, CCENT, Palo Alto ACE 7.0
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: