Security

Hello,

 

I have already configure external self registration guest portal for aruba IAP 105 and runnig successfull.

Then I had tried HPE 5130 802.1x and this one running successfully finally i tried if 802.1x authentication

fail the user drop to guest/auth-fail vlan and related vlan configured portal authentication and I configured clearpass guest as a external portal I have a problem when I create self-registration portal because I couldn't find HPE/H3C(Comwareve) vendor settings.

 

When users authentication fail users drop to guest/auth-fail vlan and redirect to clearpass self-registration page but when I register a guest and press the login button anythings happen and same page appears.

 

Switch NAS ID: 192.168.2.41

Radius(ClearPass) : 192.168.2.211 (guest.bilgibim.corp)

 

My switch configuration is the following :

============================================================================

#
interface Vlan-interface3
 description *** Bilgibim Guest ***
 ip address 172.16.3.1 255.255.255.0
 dhcp select relay
 dhcp relay server-address 192.168.2.203
 portal enable method direct
 portal apply web-server ClearPass
#

#
interface GigabitEthernet1/0/16
 description ***Aydin KOCAK***
 stp edged-port
 poe enable
 dot1x
 undo dot1x handshake
 dot1x mandatory-domain bilgibim.com.tr
 dot1x port-method portbased
 dot1x re-authenticate
 dot1x guest-vlan 3
 dot1x auth-fail vlan 3
#

#
radius scheme bilgibim
 primary authentication 192.168.2.211 key cipher $c$3$XYsBAKLajI5vmRRy8Momaxpovy2PdEvrOxcr8w==
 primary accounting 192.168.2.211 key cipher $c$3$/Sze6gM9U14Qv862rJQK6+o9wyc7OPPpgVTP7g==
 accounting-on enable
 user-name-format without-domain
 nas-ip 192.168.2.41
#

#
domain bilgibim.com.tr
 authentication lan-access radius-scheme bilgibim local
 authorization lan-access radius-scheme bilgibim local
 accounting lan-access radius-scheme bilgibim local
#

#
 domain default enable bilgibim.com.tr
#

#
 portal free-rule 0 source ip 172.16.3.0 255.255.255.0 destination ip 192.168.2.0 255.255.255.0
 portal free-rule 5 source ip 192.168.2.0 255.255.255.0 destination ip 172.16.3.0 255.255.255.0
#
portal web-server ClearPass
 url http://guest.bilgibim.corp/guest/wired_guests.php
#

==========================================================================

 

Thank You,

Aydin KOCAK,

Bilgibim.

Apologies for the delay!

 

Which switch are you using (5130EI or 5130HI) and what version of software are you running?

Hello. Does anyone have any answers on the above question or did you get it working??. I am trying the same and cant get the portal page to send the username and password back to the switch. 

 

I have set up a new registration page and set the login vendor settings to all of the three HP options one at a time but no luck. I am assuming it’s the Unified Wired-wlan settings I require?

 

Latest cppm 6.6 and latest comware 7.1 on 5130ei

I got this response from H3C regarding this issue:

 

After the customer complete the login operation, and press the login button, then the radius server should send COA message to the device , let the device shutdown the port the user connected, and then the user will try to get IP address through service VLAN.

 

---

@aydinkocak wrote:

Hello,

 

I have already configure external self registration guest portal for aruba IAP 105 and runnig successfull.

Then I had tried HPE 5130 802.1x and this one running successfully finally i tried if 802.1x authentication

fail the user drop to guest/auth-fail vlan and related vlan configured portal authentication and I configured clearpass guest as a external portal I have a problem when I create self-registration portal because I couldn't find HPE/H3C(Comwareve) vendor settings.

 

When users authentication fail users drop to guest/auth-fail vlan and redirect to clearpass self-registration page but when I register a guest and press the login button anythings happen and same page appears.

 

Switch NAS ID: 192.168.2.41

Radius(ClearPass) : 192.168.2.211 (guest.bilgibim.corp)

 

My switch configuration is the following :

============================================================================

#
interface Vlan-interface3
 description *** Bilgibim Guest ***
 ip address 172.16.3.1 255.255.255.0
 dhcp select relay
 dhcp relay server-address 192.168.2.203
 portal enable method direct
 portal apply web-server ClearPass
#

#
interface GigabitEthernet1/0/16
 description ***Aydin KOCAK***
 stp edged-port
 poe enable
 dot1x
 undo dot1x handshake
 dot1x mandatory-domain bilgibim.com.tr
 dot1x port-method portbased
 dot1x re-authenticate
 dot1x guest-vlan 3
 dot1x auth-fail vlan 3
#

#
radius scheme bilgibim
 primary authentication 192.168.2.211 key cipher $c$3$XYsBAKLajI5vmRRy8Momaxpovy2PdEvrOxcr8w==
 primary accounting 192.168.2.211 key cipher $c$3$/Sze6gM9U14Qv862rJQK6+o9wyc7OPPpgVTP7g==
 accounting-on enable
 user-name-format without-domain
 nas-ip 192.168.2.41
#

#
domain bilgibim.com.tr
 authentication lan-access radius-scheme bilgibim local
 authorization lan-access radius-scheme bilgibim local
 accounting lan-access radius-scheme bilgibim local
#

#
 domain default enable bilgibim.com.tr
#

#
 portal free-rule 0 source ip 172.16.3.0 255.255.255.0 destination ip 192.168.2.0 255.255.255.0
 portal free-rule 5 source ip 192.168.2.0 255.255.255.0 destination ip 172.16.3.0 255.255.255.0
#
portal web-server ClearPass
 url http://guest.bilgibim.corp/guest/wired_guests.php
#

==========================================================================

 

Thank You,

Aydin KOCAK,

Bilgibim.

---

Would you mind sharing me more details on you set-up ? I'm trying to configure about the same with a 5130ei and Comware 7. It just won't fallback to guest or auth-fail VLAN. Also the Captive portal doesnt get redirected.

Cheers,

Do you still need assistance with this?

 

The 5130EI's supports full COA, Server initiated captive portal redirect (and static config), along with mac and dot1x authentication..

 

 

I can post several things here to try, but I want to fully understand the problem before offering a solution.

Hi,

 

Thanks for the reply. I still need assistance please. I Have all the 802.1x and mac auth working its just the captive portal peice i am strugling with. I have the clients being redirected and getting the captive portal hosted on the CPPM server. As soon as they enter the username and passwords  nothing happens. I could not find any info about the configuration needed on the clearpass side. I am unsure of what i need to set on the cppm login page. Or i could be missing something on the comware side.

 

thanks in advance

Here's the modern way to do the portal redirect, the server initiated way (CPPM pushes down portal/ACL info) based on an unknown host.. In this method you don't have to do the portal or portal free-rules on the box.

 

The only thing you have to define is the ACL because Comware doesn't support downloadable ACLs at this time. In the ACL you can open them up to the wide IP or you can specify them down to the port levels, in the example below its a mix. I'm using port-security in this example below, but it makes no difference if you're using mac-auth/dot1x without port-security.

 

I'll follow up on the CPPM config in another post:

 

Config:

dot1x authentication-method eap
#
port-security enable
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid vlan 1
undo dot1x handshake
dot1x mandatory-domain cppm
undo dot1x multicast-trigger
mac-authentication domain cppm
port-security port-mode mac-else-userlogin-secure-ext
#
acl number 3001 name PORTAL-REDIRECT
rule 0 permit ip destination 172.16.1.12 0 <- CPPM Server
rule 1 permit ip destination 192.168.1.1 0 <- Gateway to PING Check
rule 2 permit ip destination 10.1.1.1 0 <- DNS server
rule 5 permit udp destination-port eq bootp <- Permit DHCP
#
radius session-control enable
#
radius scheme cppm
primary authentication 172.16.1.12
primary accounting 172.16.1.12
key authentication simple radius
key accounting simple radius
user-name-format without-domain
nas-ip 192.168.1.25
#
radius dynamic-author server
client ip 172.16.1.12 key simple radius
#
domain cppm
authentication lan-access radius-scheme cppm
accounting default radius-scheme cppm
authorization default radius-scheme cppm
#

[HPE]display mac-authentication connection
Slot ID: 1
User MAC address: 6431-50a1-8e3d
Access interface: GigabitEthernet1/0/1
Username: 643150a18e3d
Authentication domain: 8021x
Initial VLAN: 1
Authorization untagged VLAN: N/A
Authorization tagged VLAN: N/A
Authorization ACL ID: 3001
Authorization user profile: N/A
Authorization URL: https://172.16.1.12/guest/hpeaoswiredguest.php
Termination action: N/A
Session timeout period: N/A
Online from: 2016/06/08 02:32:27
Online duration: 0h 0m 2s

Here's some screencaps for you to view.. Hopefully they come through okay (newbie to Airheads posting)..

 

5 Files.. 

H3C RadiusDictionary.txt that you need to import and enable for RADIUS. Rename it to XML and it should import.

Comware Server Portal.PNG - This is the profile I use, in here it references the CPPM guest page and sends down the ACL to the switch. I ommitted the overall enforcement policy, but I have this as my default profile for the policy. It's a catch-all basically.

WebAuth-Service.PNG - Service the connection matches

WebAuth_GuestPage.PNG - This is how I have the guest page setup. 

WebAuth-Successful.PNG - This is how you'll see it in the access tracker.

 

So the way it works is that in my service for wired mac-auth I have the permitted permissions to get on the network, then the catch all for portal. When the catch-all is hit, it sends down the portal and ACL to the switch which triggers the redirect.  The PC then browses to the guest portal and I login with my guest user/pass.

 

The portal page will then do a webauth (make sure you have a webauth service setup too) so that the authentication is done and it will cache your session with the guest role. It will also send a COA disconnect back to the switch which will cause a re-auth. Once the switch re-auth's back to CPPM again it will have the cached guest role which then matches the permitted condition.

 

 

Hope this helps and makes sense, if not let me know and I can clarify more.

Thanks a lot for these informations, I will try it for sure !

Just to recap on my side and make sure I fully understand could you validate that im right with the auth process ?

1 - A laptop connects to a edge port, fails 802.1x, fails MAC auth and then hits the MAC-AUTH-PORTAL-COMWARE service.
2 - The ACL 3001 is applied with also a URL redirect to Clearpass which includes the laptop's MAC address in URL
3 - The laptop is presented with captive portal page and authenticates against any choosen DB and is applied the guest role in your set-up
4 -Clearpass COA disconnects the laptop
5 - The laptop goes through the authentication process again but this time matches the wired-mac-auth service with it's cached attributes
(MAC and role) then gets an ACCEPT on the MAC authentication

Thanks !

You nailed it..  Just make sure you have a webauth service for guest setup too.. This is what you actually authenticate against service wise with the portal page. 

 

Also I forgot to mention that the 5130EI needs to be on later code.. I forget which specific code we added all of the features in, I think it was 3109P09, but 3113P05 is the latest available on the public website. 

 

The cache is valid for 5 minutes by default in CPPM.

thank you for the reply. I need to arrange a site revisit before i can test it. I will let you know how i get on. thanks again!

Amazing, thanks ! 

Would you mind sharing your HPE-AOS-WIRED-GUEST service config please. I'll be deploying this this week and I dont have any lab comware switch so I just want to be sure :)

The easiest way to do this is via the service wizard.. Go to the 'start here' and then up at the top click the full wizard link.

 

Then go to the web-based authentication wizard and fill it out how you need it to be (authentication, etc).  Below is a screenshot of my enforcement policy which is very basic. 

 

Hi Chris,

 

I deployed the solution today, everything is working fine but still the session terminate isn't.

 

I can manually unplug/plug the ethernet cable or do a manual shut/undo shut on the port which will get my device to the MAC auth service with it's cached attribute and success.

 

When the Web-Auth service applies the [HPE - Terminate Session] enforcement profile, the PC never re-auth and stays on the captive portal enf profile. 

Have you ever run into something similar ?

 

Swith OS + Model :

HP 5130EI - 7.10.R3113P05

 

Thanks :)

Sounds like CoA isn't working/responding..

 

Do you have dynamic radius setup in the switch?

 

radius dynamic-author server

client ip <your IP> key simple <key>

 

Also do you have CoA checked on the network device profile?  

Indeed, yes the radius dynamic-author server is configured with clearpass ip and secret and also the coa box is checked and using it's default port on the device.

Thanks !

Here's the configuration currently running on the switch :

 

10.2.2.135 = Clearpass server IP

10.2.3.123 = Switch NAS IP

* Testing done on interface 1/0/15

 

#
dot1x
dot1x authentication-method eap
#
mac-authentication
mac-authentication domain test.net
mac-authentication user-name-format mac-address with-hyphen
#
interface GigabitEthernet1/0/15
description ** Test NAC **
port access vlan 301
stp edged-port
poe enable
undo dot1x handshake
dot1x mandatory-domain test.net
undo dot1x multicast-trigger
mac-authentication
mac-authentication domain test.net
#
acl number 3502 name PORTAL-REDIRECT
rule 0 permit ip destination Clearpass-IP 0
rule 10 permit ip destination GATEWAY-IP 0
rule 20 permit ip destination DNS-SERVER-IP 0
rule 30 permit udp destination-port eq bootps
rule 40 permit udp destination-port eq bootpc
#
radius scheme dev-dot1x
primary authentication 10.2.2.135 key cipher -Hidden-
primary accounting 10.2.2.135 key cipher -Hidden-
accounting-on enable
user-name-format without-domain
nas-ip 10.2.3.123
radius scheme system
user-name-format without-domain
#
radius dynamic-author server
client ip 10.2.2.135 key cipher -Hidden-
#
domain test.net
authentication lan-access radius-scheme dev-dot1x
authorization lan-access radius-scheme dev-dot1x
accounting lan-access radius-scheme dev-dot1x
authentication portal radius-scheme dev-dot1x
authorization portal radius-scheme dev-dot1x
accounting portal radius-scheme dev-dot1x

So there's a few ways we can tackle this..

 

We can do a packet capture to see if the CoA messages are going out, or we can do it via debug.

 

For the debug method go into the switch and do 'debug radius all' then do 'term debug and term mon'

 

Then connect a PC up and let it get authenticated, and go into the access track in Clearpass. Then at the bottom of that box there is a 'change status' button that you can click on and go terminate the session. Select that HPE terminate session profile and then submit it.. If successful you should then see a bunch of debug spit out on the switch console.. If that fails then we need to look at other areas, something isn't configured right.

 

 

Here's an example of what you will see..

 

<HPE>*Oct 17 15:59:02:317 2016 HPE RADIUS/7/EVENT:
Received DAE request packet successfully.
*Oct 17 15:59:02:320 2016 HPE RADIUS/7/PACKET:
User-Name="643150a18e3d"
Calling-Station-Id="64-31-50-A1-8E-3D"
NAS-IP-Address=192.168.1.25
NAS-Port=16781314
Event-Timestamp="Oct 17 2016 15:59:00 UTC"
*Oct 17 15:59:02:321 2016 HPE RADIUS/7/PACKET:
28 c4 00 47 ad 4c dd 9b b8 9d 1c b7 43 f1 a9 f7
f6 7a 20 61 01 0e 36 34 33 31 35 30 61 31 38 65
33 64 1f 13 36 34 2d 33 31 2d 35 30 2d 41 31 2d
38 45 2d 33 44 04 06 c0 a8 01 19 05 06 01 00 10
02 37 06 58 04 f5 44

%Oct 17 15:59:02:330 2016 HPE MACA/6/MACA_LOGOFF: -IfName=GigabitEthernet1/0/1-MACAddr=6431-50a1-8e3d-VLANID=2-Username=643150a18e3d-UsernameFormat=MAC address; MAC authentication user was logged off.

Thank you for the answer !

I think I found what I did wrong but can't try it today, maybe you can confirm. When I created the Device I selected H3C for vendor name. The Enforcement profiles are for HPE, maybe they don't apply because of this ? 

I remember from the "Change Status" menu, I had no COA available, probly because of this except the generic one I created.

I am running into the same issue. Everything is working except for the COA. I have tried setting the device as h3c and hpe. 

 

i can see in the access tracker that the COA is being sent when the auth is succesful. 

 

If i do a packet capture on the cppm i dont see anything come and go to the switch ip.

 

radius debugging on the switch show nothing.

 

any ideas?

 

thanks in advance

I was able to get it working yesterday using the HPE device vendor which was my problem.

Iv'e noticed the port bounce was sent but nothing was happening. The HPE terminate session was working and did exactly what I wanted.

Can you post a "dis current config" of switch ?

Hello Chris, could you help me with the configuration on the switch? I've been here for days and I still can not make it work.

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement?

Hi Tim,

Yes, I did. I receive the ACL and the URL of the portal, but the switch does not have the redirection.

Best to open a TAC case then.