Security

I've seen several past discussions (can't seem to locate the correct key term to find the posts again) about the importance of the "HTTP Get URL" that is generated from the redirect (mac, ip, user-name, access-point, original website, etc). I'm trying to understand more of the importance of it and what's actually occuring if the information happens to be absent due to the user navigating away and returning later. 

Brief Background

--ArubaOS 6.5.0.4 Controllers with Clearpass as External Captive Portal)--
We just recently consolidated our open SSIDs into a single SSID to serve three purposes (guest access, setup access, and non-802.1x-streaming access) with Clearpass returning a role for guest and non-802.1x -> this is working wonderfully. The issue we ran into was setting the redirect to a web page with three links to choose an option they wanted to use (guest, setup, streaming) - *what we discovered was the URL information was getting stripped and causing issues (I was absent that week). We got around this by have clients redirected to the "Guest Login" page that preserves the URL information - which also contain two additional links to either setup your 802.1x device or to register a streaming device.

The one behavior I've seen during my test was if I happen to hit the captive-portal with the URL information stripped (Either Bad Password - or Request an Account) -> if I submit my guest credentials -> I will get stuck on the "certificate-CN" with a blank page but I do pass authentication -> which I believe makes sense since Clearpass/Controller is missing the original site i was redirected from --> However, if I navigate to any website - it appears I have no issues accessing the internet.

On the initial splash page, append this to all of the links:

?{$smarty.server.QUERY_STRING|escape}

This will pass the URL parameters off to the other pages.

---

@cappalli wrote:

On the initial splash page, append this to all of the links:

?{$smarty.server.QUERY_STRING|escape}

This will pass the URL parameters off to the other pages.

---

Hi Tim,

Is that appending normally necessary for self registration (even if we weren't providing links to three separate services)?

Step 1 - Client associates to an http site and is redirected to https://wireless.test.edu/guest/login.php?cmd=login&(mac, ip, user-name, access-point, original website)&_browser=1
Step 2 - Client clicks on "Need an account? Click_Here" -> https://wireless.test.edu/guest/self.php?_browser=1

(Information gets stripped)
Step 3 - Guest account is registered and presented with "Click here to go to the login page" -> https://wireless.test.edu/guest/login_test.php (where information is also missing)

Also if a guest submits wrong username or password - page updates (appears to refresh from end-user perspective) - URL changes to - https://wireless.test.edu/guest/login_test.php?errmsg=Authentication failed&_browser=1 with information stripped.

Sorry if odd questions - Clearpass is administratred by another another group and I've heard mixed things where it "breaks" this but not that - yet from my perspective on the wireless side - doesn't appear to matter as long as we send authenticated users to a landing page post authentication in the Captive Portal Authentication Profile - Redirect URL.

Did you get this resolved? I'm having a similar issue where we send a user directly to a Web Login page on ClearPass with a url link, and I cannot figure out how to get their MAC address. We want to be able to "tag" them if they complete this Web Login so that the next time they do MAC auth we can apply a different Aruba role and VLAN.

Thanks.