Security

I would like to be able to configure a Web Login page to use my AD Auth Source instead of the Guest repository. Is this possible?

 

We have an Instant VC with PSK network. We need to get policy from Clearpass based on AD user credentials. 802.1x unfortunatly is not an option. My solution is to configure Captive Portal redirect on the PSK SSID, have the Web Login page (cap portal) auth against AD and then pass back a User Role to the VC. 

 

Maybe I am going about this in the wrong way?

Yes, you can. This is a common deployment.

I am having a hard time figuring out how to configure the Web Login page. How do I tell it to use the AD Auth source defined in CPPM? 

 

I did configure my 'User Auth with MAC Caching' service with the AD Repository. 

 

I configured the Web Login page 'Pre-Auth Check' to use RADIUS. This does then pass my credentials to CPPM and hits the service. The Service does succesfully Auth me. The Captive Portal Page however returns an error "Login error. Please Retry" and I dont make it past the portal on the device. 

 

What am I missing?

https://ase.arubanetworks.com/solutions/id/37

Replace the guest user repository with AD

For the pre-auth check, use an application auth and create an app auth service in CPPM. Simple return [Allow Access Profile] for users that are allowed to auth.

 

After the pre-auth, the web login will submit through the user's browser through the controller and hit your RADIUS enforcement service.

 

 

Thanks Tim. 

 

I created an App Auth Service but the service is not hit when a pre-auth attempt is made. The pre-auth has virtually nothing listed in the input tab besided a user name... therefor it cant make a match on the App Auth Service...

 

Just do an App Auth service no service rules and it should catch it at the bottom. It will then reveal more attributes in access tracker than can be used to isolate the request.

Getting closer! I get a Success in Access Tracker but I still get the 'Login error. Please Retry' on the device attempting to Auth. 

 

You stated to pass back "Allow Access Profile" in the Service. Since it is an Application service, I was only able to create a "Allow Application Access Profile" Profile. Maybe that is where it is going wrong?

 

 

No, that's correct. Is pre-auth working? (After you click login, are you taken to the IAPs login URL)

No, it just returns me back to the Captive Portal login screen with the error displayed at the top. 

 

If you configure your WEB LOGIN page using RADIUS , make sure that you RADIUS service has Active Directory as your Authentication/Authorization Source

Yes, AD is set as a source. I can successfully Authenticate (Access tracker shhows success and did auth against AD) however the Captive Portal page on the client device comes back with the error posted in the picture (post I sent last night). 

 

Do you see the device getting that user role on the VC ?

Can you browse after the failure?If you are able try adding a 5 sec delay to the page and see if it helps .

Get Outlook for iOS

Do you have 3 services?



1 MAC-authentication service for subsequent authentications via MAC-caching

1 Application authentication service for processing the pre-auth request

1 RADIUS enforcement generic for processing the actual web login from the
client through the IAP once the pre-auth check has passed.

 

I think I found the issue. One of the services was out of order and it was not matching on the ESSID properly. So the wrong service was catching the authentication.  

 

Techincally, we took a different direction than doing Captive Portal with Auth Against AD. I had the exact same issue with the client error with a standard captive portal however. Once I got put the ESSID on our 802.1x service, the issue was fixed. 

And thank you all very much for the assistance!!

You could tell me how you did it, Please.