Security

Reply
MVP
Posts: 105
Registered: ‎01-27-2016

Clearpass Captive Portal with Active Directory Repositry

I would like to be able to configure a Web Login page to use my AD Auth Source instead of the Guest repository. Is this possible?

 

We have an Instant VC with PSK network. We need to get policy from Clearpass based on AD user credentials. 802.1x unfortunatly is not an option. My solution is to configure Captive Portal redirect on the PSK SSID, have the Web Login page (cap portal) auth against AD and then pass back a User Role to the VC. 

 

Maybe I am going about this in the wrong way?

Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Clearpass Captive Portal with Active Directory Repositry

Yes, you can. This is a common deployment.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 105
Registered: ‎01-27-2016

Re: Clearpass Captive Portal with Active Directory Repositry

I am having a hard time figuring out how to configure the Web Login page. How do I tell it to use the AD Auth source defined in CPPM? 

 

I did configure my 'User Auth with MAC Caching' service with the AD Repository. 

 

I configured the Web Login page 'Pre-Auth Check' to use RADIUS. This does then pass my credentials to CPPM and hits the service. The Service does succesfully Auth me. The Captive Portal Page however returns an error "Login error. Please Retry" and I dont make it past the portal on the device. 

 

What am I missing?

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Clearpass Captive Portal with Active Directory Repositry

https://ase.arubanetworks.com/solutions/id/37

Replace the guest user repository with AD
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Clearpass Captive Portal with Active Directory Repositry

For the pre-auth check, use an application auth and create an app auth service in CPPM. Simple return [Allow Access Profile] for users that are allowed to auth.

 

After the pre-auth, the web login will submit through the user's browser through the controller and hit your RADIUS enforcement service.

 

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 105
Registered: ‎01-27-2016

Re: Clearpass Captive Portal with Active Directory Repositry

Thanks Tim. 

 

I created an App Auth Service but the service is not hit when a pre-auth attempt is made. The pre-auth has virtually nothing listed in the input tab besided a user name... therefor it cant make a match on the App Auth Service...

 

appauth.png

Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Clearpass Captive Portal with Active Directory Repositry

Just do an App Auth service no service rules and it should catch it at the bottom. It will then reveal more attributes in access tracker than can be used to isolate the request.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 105
Registered: ‎01-27-2016

Re: Clearpass Captive Portal with Active Directory Repositry

[ Edited ]

appauth2.pngGetting closer! I get a Success in Access Tracker but I still get the 'Login error. Please Retry' on the device attempting to Auth. 

 

You stated to pass back "Allow Access Profile" in the Service. Since it is an Application service, I was only able to create a "Allow Application Access Profile" Profile. Maybe that is where it is going wrong?

 

 

Guru Elite
Posts: 8,323
Registered: ‎09-08-2010

Re: Clearpass Captive Portal with Active Directory Repositry

No, that's correct. Is pre-auth working? (After you click login, are you taken to the IAPs login URL)

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 105
Registered: ‎01-27-2016

Re: Clearpass Captive Portal with Active Directory Repositry

No, it just returns me back to the Captive Portal login screen with the error displayed at the top. Screenshot_20160811-180512.png

Search Airheads
Showing results for 
Search instead for 
Did you mean: