Security

Reply
Regular Contributor I
Posts: 279
Registered: ‎02-11-2013

IAP 105 and ClearPass self-registration

Hello,

 

I am still confused with ClearPass and I haven't found an answer in the doc or here. So here is what I would like to do :

 

In ClearPass, I have set up a self-registration (works but don't now about the NAS login, could it be done with ClearPass) and now I need that when connecting to the IAP, the visitor is redirect to this self-registration. I have read about radius, NAS, ... but I am a bit lost.

 

Anyone can give me an overlook of what to do ?

 

Thanks.

 

Dimitri

MVP
Posts: 507
Registered: ‎05-11-2011

Re: IAP 105 and ClearPass self-registration

Never done this with an IAP before, but I would assume it's the same procedure as normal.

 

Are you using CPPM or plain CP Guest (Amigopod)?

 

First add the CPPM server as Radius server in the IAP.

On CPPM create the IAP as a Radius Device (Configuration/Network/Device)

Use the same shared secret and make sure you have the correct ip of the IAP when entering this in CPPM.

 

That should be enough to get the IAP and CPPM talking.

 

Now - edit your self-registration.

Click the NAS Vendor Settings tab

Check for "Enable guest login for a NAS"

  • Vendor settings: Aruba Networks
  • ip address: the ip of the radius device (IAP)
  • Secure login: if you're not using certificates then set this to "Send cleartext ..."
  • Save changes..

Think most of the stuph here should still be valid.. Google for Amigopod-AOS-Integration-AppNote.pdf - select the pdf that is hosted on arubanetworks.com.

 

Let me know if this helps you or what you get stuck on and I'll try to elaborate..


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Regular Contributor I
Posts: 279
Registered: ‎02-11-2013

Re: IAP 105 and ClearPass self-registration

Hi,

 

Thanks for this first reponse. I am using plain CP Guest, can I follow your prodecure or is it diffrent from using CCPM ?

 

Thanks again.

 

Dimitri

 

 

MVP
Posts: 507
Registered: ‎05-11-2011

Re: IAP 105 and ClearPass self-registration

Then that document is even more valid.

 

On CP Guest you create the IAP as NAS device under the Radius/NAS List tab.

 

When you try to authenticate with it check the logs under Support/System logs and you should be able to see what IP address the IAP tries to access with..


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Regular Contributor I
Posts: 279
Registered: ‎02-11-2013

Re: IAP 105 and ClearPass self-registration

On CP Guest, I don't find Radius/NAS List tab. The document is totally diffrent of what I am seeing in CP Guest, I can't match the informations.

 

I got ClearPass Guest 6.0.1.22810.

 

Dimitri

MVP
Posts: 507
Registered: ‎05-11-2011

Re: IAP 105 and ClearPass self-registration

Well - then you have cppm with cpguest. Instead of /guest in your URL for admin type /tips. Or just navigate to the IP and you should be redirected to the cppm login.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Regular Contributor I
Posts: 279
Registered: ‎02-11-2013

Re: IAP 105 and ClearPass self-registration

Ok thanks, so I use your first post procedure ?

 

Dimitri

MVP
Posts: 507
Registered: ‎05-11-2011

Re: IAP 105 and ClearPass self-registration

Yep. Try it and let me know how it goes.

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Regular Contributor I
Posts: 279
Registered: ‎02-11-2013

Re: IAP 105 and ClearPass self-registration

Hi again,

 

Here is where I am now :

 

First add the CPPM server as Radius server in the IAP => ok but do I need to open the ports 1812 and 1813 on my CPPM server ?

On CPPM create the IAP as a Radius Device (Configuration/Network/Device) => ok done and if I have more IAP, do I need to do the same for each or is there an other fast way ?

Use the same shared secret and make sure you have the correct ip of the IAP when entering this in CPPM. => ok

 

That should be enough to get the IAP and CPPM talking => Not working now

 

Now - edit your self-registration.

Click the NAS Vendor Settings tab

Check for "Enable guest login for a NAS"

  • Vendor settings: Aruba Networks
  • ip address: the ip of the radius device (IAP) => what about if I need to do this with multiple IAP ?
  • Secure login: if you're not using certificates then set this to "Send cleartext ..."
  • Save changes..

Thanks for your help.

 

Dimitri

MVP
Posts: 507
Registered: ‎05-11-2011

Re: IAP 105 and ClearPass self-registration

[ Edited ]

Hehe – I see and understand your troubles…

 

=> ok but do I need to open the ports 1812 and 1813 on my CPPM server ?

 

What kind of link do you have? If the CPPM is behind a firewall/NAT device you will have to make sure UDP 1812/1813 and TCP 80/443 are reachable.

The IAP needs Radius access to your CPPM server so those ports needs to be reachable

The clients on the IAP need http/https connection to the CPPM so that too needs to be reachable through the link you have – which is internet?

The CPPM needs a route back to the client through the IAP.

 

=> ok done and if I have more IAP

 

Yes you will add each of them - assuming those IAP’s are on other locations and then not a part of the IAP “cluster”.

 

=> ip address: the ip of the radius device (IAP) => what about if I need to do this with multiple IAP ?

 

Well – in a multiple controller scenario you would click the Dynamic address field “The Controller will send the IP to submit credentials”. Input also which address that are allowed.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: