Security

Hi Everyone,

 

I have ClearPASS setup to authenticate a user against our AD (after getting a captive portal after a failed MAC AUTH attempt) and once I have done that then I want to send a CoA request back to the controller.

 

The trouble is that as far as I can see when the request comes in (as seen in the Access Tracker) then it's type is "Application" and therefore there is no "Access Device IP/Port:" listed in the request as the source is local. So when I apply a CoA Enforcement policy it never fires, and I am assuming this is becuase ClearPASS doens't know where to send it?

 

So, please coud someone help me out and confirm whether is it possible to specify a destination for a CoA Enforcement profile

 

I can see the IP address of the NAD device in the orginal request in another variables for the item -Application:WebLoginURL:portal_ip.

 

Hope this makes sense, thanks for your help

Nobody!?

Is the MAC address available in the url redirect to the web login page? 

Hi Tim,

 

Yes I have the MAC Address - I have all of the info need to make the request.

But how do I speicify a destination IP for the CoA request?

 

Thanks,

 

Jaggie

You don't. It happens automatically based on session/authentication data. 

Are you able to manually perform a CoA via access tracker? 

Ah ok,

 

No, I cannot make  CoA request from the access tracker as it is greyed out.

 

Just to confirm that I definelty have CoA active on the NAD, I can make a disconnect request via the guest admin portal but not via access tracker.

 

Thanks,

 

Jaggie

So, what are you trying to do?

You have a user that fails mac auth, so that user gets the captive portal.  You would then want to authenticate that user, right?

 

Yep,

 

The user is then authenticated via the guest module against for AD.

 

If the user is authed correctly then we should send a CoA request to the NAD.

 

The trouble is that the CoA request never fires.

 

Cheers,

 

Wait, if the user is authenticated correctly, why would you send a COA?  The user is just authenticated and goes on his merry way.  A COA is typically sent for a user that is already authenticated that you want to change their status if they use too much bandwidth or they go over their allotted time.

Hi,

 

I might want to add this is not for an ARUBA controller but a Juniper (trapeze) WLC.

 

The AD auth happens on ClearPASS so there has to be something returned to the controller to take the user out of the walled garden and for them to continue?? unless I am missing something big!

 

I know with an ARUBA controller the Guest module makes a POST request to the controller and then the controler makes another auth request with the assign username and password and then they get their new atributes and can surf etc.

Just trying to follow along here, do you have following option set on your ClearPass web page settings?

 

 

 

Yep, Thats it.

 

Well, did you get http submit to work, before trying the more difficult RFC 3576?  If that doesn't work, you might have a few more steps that you would have to take.

As far as I know there is know facility to make HTTP POST requests in order to change user info on the Juniper controller so CoA is the only option.

 

The screenshot  that I showed you says that method is available for a Trapeze device.  Wouldn't it be difficult if Trapeze required COA functionality just to do captive portal?

Err, to be honest I have never seen it in the docs before (although that doesn't mean that it doens't exist!) and I have done a previous implementation using CoA.

 

I will do some research to see if I can find anything on it.

 

Thanks,

I can find zero documentation about any API that clearPASS could use... :(

 

I will have to try tommorrow, but without any guides it is going to be difficult to troubleshoot.

 

This should be possible via CoA though right?

http post/submit is very standard and is what most manufacturers for Captive Portal authentication.  It is fairly straightforward and does not require an API.  It is a standard.

 

COA would require correct configuration on your Trapeze device, but it would also require correct coa configuration of the device in ClearPass under Network> Devices.  

I will have to check tomorrow.

 

I do have CoA working as I can send a disconnect request via the guest admin portal and I can then see this in the acces tracker. I just cannot launch a CoA request from the access tracker directly.

 

Thanks for your help so far...

There is a special CoA config required for Juniper WLCs. Please reach out to
your Aruba ClearPass partner.

Hi Tim,

 

Thanks for this. I have ARUBA Care so no partner but can open a case directly.

 

Do you know where does this special config need to be applied? CoA does work on the Juniper Controller as witness by neing able to send disconnect requests.

 

Do you have any more info that could help me in opening the case?

 

Thanks,

 

Jaggie

The custom configuration is applied in ClearPass due to some different
attributes that the Juniper controller requires.

Ok great thanks,

 

Do you have any refernce that I can give to the support so that they will know what I am talking about straight away, rather than me having to explain (I have tried once already!).

Thanks,

 

"ClearPass Guest on Juniper WLC"

Sound good,

 

Will open a case tomorrow.

 

Cheers for your help.

 

Will update here for other in the future. 

Did you manage to get this working? - We're trying to do the same and running into issues.