Security

Has anyone had success in getting sponsor lookup working?

 

I'm trying to do what I would assume must be a pretty common configuration: to save the guest from needing to know their sponsor's e-mail address by allowing then to start typing the name of an employee in our organisation, and have the self-registration page auto-complete with a list of matching names from AD and then use the e-mail address for the "sponsor_email" field.

 

The functionality seems rather confused an not well documented.

 

Progress so far:

AUTHENTICATION SERVER (Guest->Adminstration->Operator logins->Server)

Server Type:MS Active Directory

User search Display Attributes:

     mail = id
     displayName = text

Sponsor lookup atribute mapping:

     sponsor_name | displayName
     sponsor_email | mail     
     sponsor_lookup | mail

 

This seems to work and can lookup names in our AD and return e-mail addresses.

 

SELF-REGISTRATION PAGE (Guest->Configuration->Guest self-registration->Register page Form)

replaced "sponsor_email" field with "sponsor_lookup"

In advanced properties of this form:

Select2 Options: ajax.args.server = [name of authentication server above]

 

This also works. When I test the form itself from a PC on our LAN. It looks up the name, shows that display name and sends the request to the corresponding e-mail address.

 

HOWEVER, when testing wireless access using the access point and captive portal process itself, the page shows but lookup seems to hang without returning anthing. The ajax control just shows "Searching..." with the animated rotating icon forever.

 

I have the AP security set to use a pre-authentication role but for testing I've opened this to access to anything so I don't think the problem is AP security.

 

Oddly, if I type the full url of the self-registration page (https:[ClearpassIP]/guest/self_reg_page.php) into the browser of the wireless device, the lookup DOES return results. It's just when the page is redirected as part of the captive portal process that the lookup seems to hang.

 

Any suggestions, or general tips of getting sponsor lookup for self-registration working would be a HUGE help!

 

 

 

Are you seeing any certificate errors or other issues when loading the page?

 

From your description, it seems like you have the sponsor lookup function configured correctly and working as intended.

 

Check that your captive portal redirect URL includes the proper hostname for the CPPM server.  Also check that the CPPM server certificate matches this hostname.

 

If you suspect an SSL issue, you can try turning off HTTPS and using regular HTTP – this should work without any issues.

Did you actually find a doc somewhere that explained this?  I've searched the manual but could not find anything en the release notice that mention this have no detail whatsoever.

 

Earlier I did find about lookup of airgroup lookups which had a bunch more setting in the select2 options and select2 hook fields. http://community.arubanetworks.com/t5/Video/Video-ClearPass-Advanced-Configuration-Topics/ta-p/84424

 

Now regardless of using your 'basic' config or the added select2 stuff.. it simply won't look anything up.

I'm guessing the authentication server is configured properly since I can perform a search and find everything I want. When I do a lookup however I always receive an error.

In 6.2, we made this easier with a new field you can use in the sponsored registration called "sponsor_lookup".  Use that vs. spnsor_name in the registration form.  

 

This is reliant on an LDAP lookup into AD or directory.

 

I forgot to mention that you must add your active directory or other LDAP server in the administration section.

Thanks, but the ldap server is active.

When I do a 'test lookup' there and select 'search' I get results. When I select 'lookup' however  I always get the same 'error':

array (
'error' => 1,
'errors' =>
array (
8 =>
array (
'error' => 1,
'message' => 'Lookup failed',
),
),
)

 

 

Have opened a TAC case to get to the bottom of it.

koenv, if it helps, I don't think this lookup test is necessary for the sponsor lookup to work.

 

My sponsor lookup is working, but I am getting the same error as you when I try a test lookup in the LDAP server set up:

 

Test: Perform a lookup test

Search mode: Perform a lookup ----> FAILS

Search mode: Perform a search----> SUCCESS

 

 

Here's the screen shots of the problem I'm getting with sponsor lookup. 

My best guess is that it's caused by a problem with the way the ajax control is written that causes the lookup to fail if the page was loaded due to a captive portal redirection.

 

1. WITH CAPTIVE PORTAL REDIRECTION

A wireless client connects to the SSID, tries to browse to a web page and is redirected to self-regitration.

(note the address bar shows the intended URL)

 

 

Lookup just hangs and the browser  (in this case IE8 but I've tested with IE9, Chrome and firefox) shows a page error.

The error, bottom left, is:

 

 

Line 876 in the page's source is:

x.open(request_type, uri, true);

 

2. WITHOUT CAPTIVE PORTAL REDIRECTION

Same wireless client.

Having hit this error, if I manually type the true URL of the self-registration page:

(note the address bar now shows the true self-reg URL)

 

 

It works. No page error!

 

Any suggestions for what I can change myself to get captive portal sponsor lookup working?

 

Update.

 

The only workaround I can find for this issue is for captive portal redirection to point to the login page, rather than the self-registration page, first.

 

Then the guest must click a link to get to the self-registration page (that contains this ajax sponsor lookup control).

 

In doing this, the URL in the address bar matches the true page address and lookup works.

What is the captive portal you are using?  Are you using Aruba Instant?

Yes, Aruba Instant.

just a quick FYI, managed to get my field working by going back to the default skin. Apparantly the custom skin screwed up showing the dynamic part of the lookup field. Now running into the same issue as http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Clearpass-Guest-log-in-error-after-sponsor-lookup/td-p/91926

 

Thanks koenv. Yes, that second problem is me too.

Good to know I'm not the only one struggling to get sponsor lookup working.

Hopefully a patch or update will remedy the problem soon.

"The Sponsor Name lookup works in the Guest Registration page but when we try to click on login we were getting an error, “-:NwaLdapSponsorUserSearchAjax not callable" . We have opened a bug # 17021 and as per the bug tracker, the issue will be resolved with the next patch but ETA is currently not available. I shall get back to you whenever I have the Release date."

from TAC:

"The patch that contains the fix for this case is due to be released on Sept 11, 2013. "

Just a FYI 6.2 patch 1 was released today and it fixes the issue with sponsor lookup.

Confirmed. After applying the patch. This problem is solved.

Thanks for your replies.

 

I have the sponsor_lookup field working, the steps I took to get there are described in my first post.

 

First question: Is there no documentation for the use of this new field - and sponsor lookups in general? It took a lot of trial and error to get there which could have been avoided with some decent tech notes.

Sounds like this would help koenv too.

 

Second question: going back to my original problem, I have the sponsor lookup working perfectly when I test it from a LAN connected computer by going to the URL https:[ClearpassIP]/guest/self_reg_page.php

 

However, when I test it on an actual wireless client, the browser is correctly redirected to the captive portal page, everything looks fine, BUT....

the sponsor lookup just hangs on search, without finding anything.

At this point, the address showing in the browser's address bar, is the user's intended page, e.g. www.google.com

 

the really strange thing is that if I change this to https:[ClearpassIP]/guest/self_reg_page.php, the captive portal page reloads with no apparent difference BUT...

the sponsor lookup now works!

 

So why isn't it working on captive portal redirection?

 

I think I have eliminated the possibility this could be due to a restriction on the controller. We are using Instant APs. The Virtual controller is set as follows (weakened security for testing):

 

---------------------------------------

3. Security

Splash: External RADIUS Authentication

Auth server: clearpass

Re-auth internal: 0 hrs

Accounting: Enabled

Acc int. 10 mins

Blacklisting: Disabled

Encryption: enabled

WPA-2 8-63 chars

External splash: [clearpassIP]

URL: /guest/self_reg_page.php

port: 80

capt portal failure: deny internat

automatic whitelisting: disabled

 

4. Access

Unrestricted

---------------------------------------

 

So is there something I can change in Clearpass manager (maybe Configuration->Services->Guest Access - Web Login Pre-Auth??)

or something in Clearpass Guest that I can change to get this working?