Security

Reply
Moderator
Posts: 918
Registered: ‎07-29-2010

ClearPass two stage authentication with Cisco controller

Hello

 

I've been trying to configure two stage authentication with a Cisco controller and I can't find the way to do it. I think I have everything properly configured. However, once I the device passes machine auth, it gets authenticated and the user authentication never takes place. Have any of you guys had the same problem?

 

Regards

Samuel Pérez
ACMP, ACCP, ACDX#100

---

If I answerd your question, please click on "Accept as Solution".
If you find this post useful, give me kudos for it ;)
Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: ClearPass two stage authentication with Cisco controller

If this is Windows 7, if you click on a 802.1x WLAN, it defaults to machine-only authentication.  You need to go into Advanced and change that to computer or user authentication.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 54
Registered: ‎01-05-2010

Re: ClearPass two stage authentication with Cisco controller

Hi,

 

I have a similar issue , We are just ntegrated Amigopod and Cisco WLC . I am facing two issues .

 

1- IOS users after authentication rediricted to cisco default intenal captive portal authentication .

2- All other cliets are rediricted to a page which is configured in Clear pass, but a logout pop up windows appears and running in the backgroud. 

 

How we sort out this issue .

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: ClearPass two stage authentication with Cisco controller

mshafi,

 

Please contact support and open a case.  Your specific issue could be very hard to troubleshoot in this forum.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 54
Registered: ‎01-05-2010

Re: ClearPass two stage authentication with Cisco controller

I have been chasing TAC for more than 1 month with no progress . Any one facing simlilar issue when integrating clear pass with cisco controllers ?

Contributor II
Posts: 54
Registered: ‎01-05-2010

Re: ClearPass two stage authentication with Cisco controller

[ Edited ]

Hi All, 

 

At last we got solution from TAC . 

There is a interesting behavior with ios clients while integrating  with WLC OS 7.2  and clearpass.

 

Following are the findings of TAC :

 

 

1. Web login did not work in my environment until I installed a trusted certificate in the WLC web auth page and configured my Web Login page in Clearpass Guest to use https to the hostname on my certificate.

2. The web login works perfectly with CNA disabled in the WLC. However, you need to manually open safari first to get the weblogin page instead of it opening automatically.

3. If the CNA is not disabled in the WLC, then you will get the web login page automatically. Once you login, it will take you to a page with the word "Success" on it and nothing else. To resolve this, a global configuration for a welcome page needs to be added in the WLC web auth config. 

4. Even if the welcome page is configured, you are still in the CNA and the page you configured for welcome is displayed, but you cannot enter in a URL due to the CNA. The only thing you can do in the CNA is click done. Once you do that, your CNA goes away and you need to open Safari to continue web browsing. Obviously, this is not ideal, but there is nothing we can do about that. This is a cisco and apple issue.

 

" My recommendation is to get a 3rd party certificate for your WLC and make sure DNS resolves the name of that 3rd party certificate to the virtual IP address of the WLC. Once you have that done, you can do some testing to decide if you want the CNA enabled or disabled "

Occasional Contributor II
Posts: 11
Registered: ‎03-07-2012

Re: ClearPass two stage authentication with Cisco controller

Hi,

 

I have similar issue with 2 stage authentication.

 

could you please let me know what do you mean by CNA ?

 

and how to disable this on the cisco controller.

 

Thanks

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: ClearPass two stage authentication with Cisco controller

"Taken from the web"

Apple implemented their Captive Network Assistant (CNA) which basically senses when a captive portal (like the WebAuth page) is being presented. To detect this behavior, the Apple device sends a request to http://www.apple.com/library/test/success.html to see if it gets a response. If it does, it knows a captive portal isn’t being used. If it does not get a response, it assume a captive portal is in use and CNA auto-launches a broswer window so as to get a leg-up on the portal login – trying to make sure the user doesn’t get stuck trying to use an app but not realizing they have to login to the captive portal first. Sounds like a fair plan but this ends up causing a “controlled window” to pop up that ends up blank.

On the Cisco WLC (Wireless LAN Controller), there is a CLI only command that will bypass this “controlled windows” behavior on the Apple device.

(Controller)> config network web-auth captive-bypass enable
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 11
Registered: ‎03-07-2012

Re: ClearPass two stage authentication with Cisco controller

thanks it works

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: ClearPass two stage authentication with Cisco controller

Hello;

Sorry to give new life but just wanted to ask to see how you integrated CPPM with Cisco WLC. ACL? Vlan? Other? Doing 802.1x or using Clearpass Guest?

Any hurdles? Or features you want?
Search Airheads
Showing results for 
Search instead for 
Did you mean: