Security

Reply
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Clearpass Guest Captive Portal exceptions?

Hi:

Is there a way to allow users who connect to the Clearpass Guest captive portal to access another website? (without acquiring guest credentials)

 

We have a password manager web app setup that allows students to reset their password.

If they could get there from the Guest network captive portal, it would allow them to easily reset their password before connecting to the dot1x network. (and save on helpdesk calls)

 

I've tried adding a firewall rule to the captive portal role that allows this access, but the captive portal keeps redirecting.

 

Thanks,

Tony

 

 

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: Clearpass Guest Captive Portal exceptions?

[ Edited ]

Yes. Create a netdestination with the domain name and then add it to the whitelist in the captive portal profile.

 

Once you click apply on the captive portal profile, it will dynamically build an ACL that allows 80/443 to that destination and put it at the top of the user-role.

 

cp-whitelist.png


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Clearpass Guest Captive Portal exceptions?

Hi Tim:

Thanks for the reply.

 

I added the destination to the whitelist, but I'm still getting redirected.

 

I can ping the server, so I know it's not a routing issue.

 

Is there anything else that needs to be set?

 

Thanks.

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: Clearpass Guest Captive Portal exceptions?

In your netedestination, did you do DNS names or IPs? If names, be sure your controller has DNS lookups enabled and has DNS servers defined.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Clearpass Guest Captive Portal exceptions?

I used an IP address.

(the controller won't allow me to enter a name)

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: Clearpass Guest Captive Portal exceptions?

If you run:

Show rights

Do you see the white-list ACL at the top?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Clearpass Guest Captive Portal exceptions?

Here's the output:

(I'm not sure where the apple.com came from, but that's not causing any harm at this point)

Thanks.

 

(ArubaMaster) #show rights Guest-cp-prof

Derived Role = 'Guest-cp-prof'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 78/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = Guest-cp-prof

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Guest-cp-prof_list_operations session

Guest-cp-prof_list_operations
----------------------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user apple.com svc-http permit Low 4
2 user apple.com svc-https permit Low 4
3 user pwmanager svc-http permit Low 4
4 user pwmanager svc-https permit Low 4

Expired Policies (due to time constraints) = 0

Guru Elite
Posts: 8,182
Registered: ‎09-08-2010

Re: Clearpass Guest Captive Portal exceptions?

Interesting. Can you check the datapath session table while you are trying to visit the site?

Show datapath session table | include

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Clearpass Guest Captive Portal exceptions?

Interesting:

It looks like traffic is getting there and back, but I keep getting redirected to the CP.

 

(ArubaLocal1) #show datapath session table | include 172.16.243.65
172.31.0.104 172.16.243.65 6 443 51939 0/0 0 0 5 tunnel 56 51 0 0
172.16.243.65 172.31.0.104 6 51939 443 0/0 0 0 4 tunnel 56 52 0 0 C

Frequent Contributor II
Posts: 143
Registered: ‎07-27-2012

Re: Clearpass Guest Captive Portal exceptions?

Thanks for your persistence on this.

 

It turned out that the site I was redirecting to was doing a re-direction of its own, which then triggered the captive portal redirect, all too quickly for me to spot.

 

Thanks again,

 

Tony

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: