Security

last person joined: 2 days ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

I don't want to bypass CNA!

This thread has been viewed 8 times

  • 1.  I don't want to bypass CNA!

    Posted Oct 03, 2014 09:49 AM

    I've spent ages with customers before trying to bypass Apple's CNA but today I am with a customer who wants the CNA to pop up and I cant get it to happen!

     

    All captive portal is set up, bypass CNA is off in the CP Profile as well as in Clearpass. There are no additional allows in the firewall except to CPPM and also one to allow access to CPPM via an external link (this is required by the set up here due to the way the guest VLAN is protected from the internal network). There is no Apple whitelisting at all.

     

    Android and Windows devices all work correctly with their respective popups but CNA will not work.

     

    Using CPPM v6.0 (although patching to 6.1 as I write this) and AOS 6.4.2.1. iPhone is on OS 7.2

     

    Any ideas of where else I should look?

     

    Cheers

     

    Davey



  • 2.  RE: I don't want to bypass CNA!

    EMPLOYEE
    Posted Oct 03, 2014 09:58 AM

    Make sure you don't have "landing.php" at the end of your ClearPass URL :  http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Not-getting-the-Apple-Captive-Network-Assistant-CNA-anymore/m-p/151014/highlight/true#M10906



  • 3.  RE: I don't want to bypass CNA!

    Posted Oct 03, 2014 10:17 AM

    Tried it with and without landing.php. No joy.



  • 4.  RE: I don't want to bypass CNA!

    Posted Oct 03, 2014 10:19 AM

    Just to point out CPPM version 6.4.1, not 6.1!



  • 5.  RE: I don't want to bypass CNA!

    EMPLOYEE
    Posted Oct 03, 2014 10:19 AM

    Please publish your "logon" acl for your user:

     

    show rights <role>



  • 6.  RE: I don't want to bypass CNA!

    Posted Oct 03, 2014 10:23 AM 
    VH-Aruba-1) #show rights Customer-Guest-PreAuth

Derived Role = 'Customer-Guest-PreAuth'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Web Content Classification: Enabled
 ACL Number = 68/0
 Max Sessions = 65535

 Check CP Profile for Accounting = FALSE
 Captive Portal profile = CNGuest-CP-Profile

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                                Type     Location
--------  ----                                ----     --------
1         global-sacl                         session
2         apprf-customer-Guest-PreAuth-sacl  session
3         logon-control                       session
4         AllowExternalCPPM                   session
5         AllowCPPM                           session
6         captiveportal                       session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-Customer-Guest-PreAuth-sacl
----------------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4
AllowExternalCPPM
-----------------
Priority  Source  Destination     Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------     -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    83.244.191.151  svc-https               permit                           Low                                                           4
2         user    83.244.191.151  svc-http                permit                           Low                                                           4
AllowCPPM
---------
Priority  Source  Destination  Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    Clearpass    svc-http                permit                           Low                                                           4
2         user    Clearpass    svc-https               permit                           Low                                                           4
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

    Allow CPPM allows access to the clearpass VIP.



  • 7.  RE: I don't want to bypass CNA!

    EMPLOYEE
    Posted Oct 03, 2014 10:31 AM

    It looks fine.  You might want to check the Apple forum so that you can get telemetry on if the CNA is triggered in IOS and why.  There is definitely a log on MAC OSX.



  • 8.  RE: I don't want to bypass CNA!

    Posted Oct 03, 2014 10:44 AM

    Goddam apple devices. Forgot the network and tried again and now it works.

     

    See here:

     

    https://discussions.apple.com/message/25443945#25443945