Security

Hi,

This might be a rookie question, but i cant seem to find much info on how to set up my 7210s to use an external captive portal for a guest ssid? We have a Clearpass-server that works great with the Cisco wism-controllers, and im now migrating the SSIDs over to the Aruba-solution, but havent issues with the guest-SSID. 

What we want to accomplish is this: the user connects to the SSID, gets forwarded to the clearpass (https://guestportal.customerx.no/guest/cust_guest.php. On that page, they enter their name/cell phone/who they are visiting. That person approces/rejects it, and the user can log on with the credentials when the person they are visiting has approved it through the same portal. The problem is i never even get redirected.

I tried under Security - Authentication - L3 - Captive Portal - adding the Welcome page and Login page with the full URL to no avail. Also added the add switch ip for good measure. Just seems like this isnt enough? I have added the DNS and host to the ACL for the SSID to allow traffic to the portal. Any ideas?

What role are the users in when the should be being redirected?

show rights <role name>

Defaults to Guest. They connect, get an IP, but when i open a browser and try to go to www.something.com nothing happens. I have an ACL to allow traffic to the portal.

Please see the ASE solution here:  (requires Aruba Support Contract)  https://ase.arubanetworks.com/solutions/id/3

That did the trick for the redirect part, as im now seeing the self service portal. The problem now is that when i click the login-form (the account im using is active and in the clearpass guest manager), i get redirected back to the signup/login-page. I see no entries coming from the controllers in the access tracker. Any clues? This same setup currently works with the Cisco controllers, and i have created a new self-service portal page for Aruba controllers referencing the Aruba VRRP-address in the NAS IP, and pointing to this page on the Aruba controllers. I see that i hit the correct page, but when i log in i get redirected back to the signup/login.

What is your login page configuration?

Sorry to be a little slow here, but what do you need? Or rather, how do i get the "configuration"? Its set up to use controller-initiated login, NAS IP is 10.20.5.100 as the same as the vrrp address. I have checked add switch ip on the controllers. The weird thing is that when i click log in, i immidately get redirected back to the login/signup page, and no trace of an authentication on the clearpass guest - seems as if the redirect page after clicking login somehow magically ends up with going to 1.1.254.1, which is the nas ip on the Cisco controllers. But I created a new page for Aruba-controllers though, referencing the Aruba NAS IP, and the Aruba page does not once mention the Cisco address - so how is that address still being referenced? Did i inherit something?

You would just screnshot your configuration under "web logins".  Please make sure you have the parameter highlighted below:

OK, this is weird - i have no weblogin page, just the two different guest self-registration pages. The users registers themselves and login through the portal. This works fine though with the Cisco controllers, am i missing something here? Does the Aruba method require the weblogin page? I do get to the login page as is - its just the redirect after i hit login that is wrong?

You have a choice:

The end of the Guest Registration Workflow is a login page.  If you create a WEB page, it only involves login.  Let's take a look at your Registration Page:  Edit it and click on the thing that looks like a controller:

That should then bring you to a page like this:

It should look pretty much like this to work on a basic level.  The only reason why it would not work is if you switched out the controller's Web certificate.  If you did, you would have to change the ip address paramter to the fqdn, instead of "securelogin.arubanetworks.com".  When you click on submit, the controller only intercepts the login when that matches its web certificate...  I hope that gets you somewhere...

So the config is as this, i have not changed the controller cert - but i cant really see that i have any either under administration -> cert. Would any of this create a sort of a redirect loop that i am seeing?

Didnt help much with the IP-address, but i see whats going on now - when i connect to the Aruba guest SSID i get redirected to the aruba version of the self registration - but somehow immidiatley after that the "old" version with the Cisco controller self registration pops up. So seems like my Aruba version of the self registration portal isnt considered "valid" - as if i went towards www.google.com and the controller wants me to go to the portal first. The page on the Cisco controllers has a configured redirect with www.customer.com/guest/guest.php - the new one that is configured on the Aruba is www.customer.com/guest/guest_aruba.php. I see the Aruba-version first, then immidiately i see the "old" one. I know im associated with the Aruba SSID as the SSID is only available there - and the page on the Clearpass guest manager has the correct NAS. This is just very weird, is there a page on the guest manager i havent edited here? More places the old URL could be lurking in the new version? I did duplicate the "old" portal.

Sorry about this, everything you said was correct -the only problem was a BigIP in front of the Clearpass that had its own iRules with a 302 in it. Thanks for all your help!