Security

Reply
New Contributor
Posts: 4
Registered: ‎01-15-2016

HPE 5130 - Comware 7 External Portal via ClearPass Guest

Hello,

 

I have already configure external self registration guest portal for aruba IAP 105 and runnig successfull.

Then I had tried HPE 5130 802.1x and this one running successfully finally i tried if 802.1x authentication

fail the user drop to guest/auth-fail vlan and related vlan configured portal authentication and I configured clearpass guest as a external portal I have a problem when I create self-registration portal because I couldn't find HPE/H3C(Comwareve) vendor settings.

 

When users authentication fail users drop to guest/auth-fail vlan and redirect to clearpass self-registration page but when I register a guest and press the login button anythings happen and same page appears.

 

Switch NAS ID: 192.168.2.41

Radius(ClearPass) : 192.168.2.211 (guest.bilgibim.corp)

 

My switch configuration is the following :

============================================================================

#
interface Vlan-interface3
 description *** Bilgibim Guest ***
 ip address 172.16.3.1 255.255.255.0
 dhcp select relay
 dhcp relay server-address 192.168.2.203
 portal enable method direct
 portal apply web-server ClearPass
#

#
interface GigabitEthernet1/0/16
 description ***Aydin KOCAK***
 stp edged-port
 poe enable
 dot1x
 undo dot1x handshake
 dot1x mandatory-domain bilgibim.com.tr
 dot1x port-method portbased
 dot1x re-authenticate
 dot1x guest-vlan 3
 dot1x auth-fail vlan 3
#

#
radius scheme bilgibim
 primary authentication 192.168.2.211 key cipher $c$3$XYsBAKLajI5vmRRy8Momaxpovy2PdEvrOxcr8w==
 primary accounting 192.168.2.211 key cipher $c$3$/Sze6gM9U14Qv862rJQK6+o9wyc7OPPpgVTP7g==
 accounting-on enable
 user-name-format without-domain
 nas-ip 192.168.2.41
#

#
domain bilgibim.com.tr
 authentication lan-access radius-scheme bilgibim local
 authorization lan-access radius-scheme bilgibim local
 accounting lan-access radius-scheme bilgibim local
#

#
 domain default enable bilgibim.com.tr
#

#
 portal free-rule 0 source ip 172.16.3.0 255.255.255.0 destination ip 192.168.2.0 255.255.255.0
 portal free-rule 5 source ip 192.168.2.0 255.255.255.0 destination ip 172.16.3.0 255.255.255.0
#
portal web-server ClearPass
 url http://guest.bilgibim.corp/guest/wired_guests.php
#

==========================================================================

 

Thank You,

Aydin KOCAK,

Bilgibim.

Aruba Employee
Posts: 9
Registered: ‎11-23-2015

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

[ Edited ]

Apologies for the delay!

 

Which switch are you using (5130EI or 5130HI) and what version of software are you running?

Occasional Contributor I
Posts: 6
Registered: ‎09-23-2016

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Hello. Does anyone have any answers on the above question or did you get it working??. I am trying the same and cant get the portal page to send the username and password back to the switch. 

 

I have set up a new registration page and set the login vendor settings to all of the three HP options one at a time but no luck. I am assuming it’s the Unified Wired-wlan settings I require?

 

Latest cppm 6.6 and latest comware 7.1 on 5130ei

MVP
Posts: 129
Registered: ‎07-13-2015

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest


aydinkocak wrote:

Hello,

 

I have already configure external self registration guest portal for aruba IAP 105 and runnig successfull.

Then I had tried HPE 5130 802.1x and this one running successfully finally i tried if 802.1x authentication

fail the user drop to guest/auth-fail vlan and related vlan configured portal authentication and I configured clearpass guest as a external portal I have a problem when I create self-registration portal because I couldn't find HPE/H3C(Comwareve) vendor settings.

 

When users authentication fail users drop to guest/auth-fail vlan and redirect to clearpass self-registration page but when I register a guest and press the login button anythings happen and same page appears.

 

Switch NAS ID: 192.168.2.41

Radius(ClearPass) : 192.168.2.211 (guest.bilgibim.corp)

 

My switch configuration is the following :

============================================================================

#
interface Vlan-interface3
 description *** Bilgibim Guest ***
 ip address 172.16.3.1 255.255.255.0
 dhcp select relay
 dhcp relay server-address 192.168.2.203
 portal enable method direct
 portal apply web-server ClearPass
#

#
interface GigabitEthernet1/0/16
 description ***Aydin KOCAK***
 stp edged-port
 poe enable
 dot1x
 undo dot1x handshake
 dot1x mandatory-domain bilgibim.com.tr
 dot1x port-method portbased
 dot1x re-authenticate
 dot1x guest-vlan 3
 dot1x auth-fail vlan 3
#

#
radius scheme bilgibim
 primary authentication 192.168.2.211 key cipher $c$3$XYsBAKLajI5vmRRy8Momaxpovy2PdEvrOxcr8w==
 primary accounting 192.168.2.211 key cipher $c$3$/Sze6gM9U14Qv862rJQK6+o9wyc7OPPpgVTP7g==
 accounting-on enable
 user-name-format without-domain
 nas-ip 192.168.2.41
#

#
domain bilgibim.com.tr
 authentication lan-access radius-scheme bilgibim local
 authorization lan-access radius-scheme bilgibim local
 accounting lan-access radius-scheme bilgibim local
#

#
 domain default enable bilgibim.com.tr
#

#
 portal free-rule 0 source ip 172.16.3.0 255.255.255.0 destination ip 192.168.2.0 255.255.255.0
 portal free-rule 5 source ip 192.168.2.0 255.255.255.0 destination ip 172.16.3.0 255.255.255.0
#
portal web-server ClearPass
 url http://guest.bilgibim.corp/guest/wired_guests.php
#

==========================================================================

 

Thank You,

Aydin KOCAK,

Bilgibim.


Would you mind sharing me more details on you set-up ? I'm trying to configure about the same with a 5130ei and Comware 7. It just won't fallback to guest or auth-fail VLAN. Also the Captive portal doesnt get redirected.

Cheers,

ACMP, ACCP, BCNE
Aruba Employee
Posts: 9
Registered: ‎11-23-2015

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

I got this response from H3C regarding this issue:

 

After the customer complete the login operation, and press the login button, then the radius server should send COA message to the device , let the device shutdown the port the user connected, and then the user will try to get IP address through service VLAN.

 

Aruba Employee
Posts: 11
Registered: ‎03-23-2016

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Do you still need assistance with this?

 

The 5130EI's supports full COA, Server initiated captive portal redirect (and static config), along with mac and dot1x authentication..

 

 

I can post several things here to try, but I want to fully understand the problem before offering a solution.

Occasional Contributor I
Posts: 6
Registered: ‎09-23-2016

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Hi,

 

Thanks for the reply. I still need assistance please. I Have all the 802.1x and mac auth working its just the captive portal peice i am strugling with. I have the clients being redirected and getting the captive portal hosted on the CPPM server. As soon as they enter the username and passwords  nothing happens. I could not find any info about the configuration needed on the clearpass side. I am unsure of what i need to set on the cppm login page. Or i could be missing something on the comware side.

 

thanks in advance

Aruba Employee
Posts: 11
Registered: ‎03-23-2016

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Here's the modern way to do the portal redirect, the server initiated way (CPPM pushes down portal/ACL info) based on an unknown host.. In this method you don't have to do the portal or portal free-rules on the box.

 

The only thing you have to define is the ACL because Comware doesn't support downloadable ACLs at this time. In the ACL you can open them up to the wide IP or you can specify them down to the port levels, in the example below its a mix. I'm using port-security in this example below, but it makes no difference if you're using mac-auth/dot1x without port-security.

 

I'll follow up on the CPPM config in another post:

 

Config:

dot1x authentication-method eap
#
port-security enable
#
interface GigabitEthernet1/0/1
port link-type hybrid
port hybrid vlan 1
undo dot1x handshake
dot1x mandatory-domain cppm
undo dot1x multicast-trigger
mac-authentication domain cppm
port-security port-mode mac-else-userlogin-secure-ext
#
acl number 3001 name PORTAL-REDIRECT
rule 0 permit ip destination 172.16.1.12 0 <- CPPM Server
rule 1 permit ip destination 192.168.1.1 0 <- Gateway to PING Check
rule 2 permit ip destination 10.1.1.1 0 <- DNS server
rule 5 permit udp destination-port eq bootp <- Permit DHCP
#
radius session-control enable
#
radius scheme cppm
primary authentication 172.16.1.12
primary accounting 172.16.1.12
key authentication simple radius
key accounting simple radius
user-name-format without-domain
nas-ip 192.168.1.25
#
radius dynamic-author server
client ip 172.16.1.12 key simple radius
#
domain cppm
authentication lan-access radius-scheme cppm
accounting default radius-scheme cppm
authorization default radius-scheme cppm
#


[HPE]display mac-authentication connection
Slot ID: 1
User MAC address: 6431-50a1-8e3d
Access interface: GigabitEthernet1/0/1
Username: 643150a18e3d
Authentication domain: 8021x
Initial VLAN: 1
Authorization untagged VLAN: N/A
Authorization tagged VLAN: N/A
Authorization ACL ID: 3001
Authorization user profile: N/A
Authorization URL: https://172.16.1.12/guest/hpeaoswiredguest.php
Termination action: N/A
Session timeout period: N/A
Online from: 2016/06/08 02:32:27
Online duration: 0h 0m 2s

Aruba Employee
Posts: 11
Registered: ‎03-23-2016

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Here's some screencaps for you to view.. Hopefully they come through okay (newbie to Airheads posting)..

 

5 Files.. 

H3C RadiusDictionary.txt that you need to import and enable for RADIUS. Rename it to XML and it should import.

Comware Server Portal.PNG - This is the profile I use, in here it references the CPPM guest page and sends down the ACL to the switch. I ommitted the overall enforcement policy, but I have this as my default profile for the policy. It's a catch-all basically.

WebAuth-Service.PNG - Service the connection matches

WebAuth_GuestPage.PNG - This is how I have the guest page setup. 

WebAuth-Successful.PNG - This is how you'll see it in the access tracker.

 

So the way it works is that in my service for wired mac-auth I have the permitted permissions to get on the network, then the catch all for portal. When the catch-all is hit, it sends down the portal and ACL to the switch which triggers the redirect.  The PC then browses to the guest portal and I login with my guest user/pass.

 

The portal page will then do a webauth (make sure you have a webauth service setup too) so that the authentication is done and it will cache your session with the guest role. It will also send a COA disconnect back to the switch which will cause a re-auth. Once the switch re-auth's back to CPPM again it will have the cached guest role which then matches the permitted condition.

 

 

Hope this helps and makes sense, if not let me know and I can clarify more.

MVP
Posts: 129
Registered: ‎07-13-2015

Re: HPE 5130 - Comware 7 External Portal via ClearPass Guest

Thanks a lot for these informations, I will try it for sure !

Just to recap on my side and make sure I fully understand could you validate that im right with the auth process ?

1 - A laptop connects to a edge port, fails 802.1x, fails MAC auth and then hits the MAC-AUTH-PORTAL-COMWARE service.
2 - The ACL 3001 is applied with also a URL redirect to Clearpass which includes the laptop's MAC address in URL
3 - The laptop is presented with captive portal page and authenticates against any choosen DB and is applied the guest role in your set-up
4 -Clearpass COA disconnects the laptop
5 - The laptop goes through the authentication process again but this time matches the wired-mac-auth service with it's cached attributes
(MAC and role) then gets an ACCEPT on the MAC authentication

Thanks !

ACMP, ACCP, BCNE
Search Airheads
Showing results for 
Search instead for 
Did you mean: