Security

Hi all,

 

I'm running around in circles here. Hope you guys can help.

 

- My IAP guest setup places guest users on a seperate VLAN that has no route to the internal network.

 

I have configured an external captive portal for the guest ssid.

I have created a role (pre-logon) that allows a sourcenat to the CPPM server.

 

If I connect to the guest ssid, I receive a correct network-issued IP address.

If I start a web browser and point it to a random site, I am redirected to the URL configured in the external caprive portal setting. The browser then times-out. No traffic is received from CPPM. The redirect is setup for http port 80, clearpass then should redirect to 443.

I can however ping the CPPM server.

 

If I test this in a vlan that is allowed to route to CPPM, all works fine. Somehow the IAP is not handling my traffic properly. Some config snippets below.

 

This is driving me nuts! Please help. Thank you!

 

wlan external-captive-portal Guest_portal_nl
server nac-portal-nl.mydomain.com
port 80
url "/guest/taqa_guest_register_IAP_login.php"
auth-text ""
auto-whitelist-disable

 

wlan ssid-profile TQ_GUEST
enable
index 1
type guest
essid TQ_GUEST
opmode opensystem
max-authentication-failures 0
vlan 25
auth-server CPPM-NL
set-role-pre-auth TQ_GUEST-PREAUTH
rf-band all
captive-portal external profile Guest_portal_nl
dtim-period 1
inactivity-timeout 1000
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

 

auth-survivability cache-time-out 24

 

 

wlan access-rule TQ_GUEST
index 4
rule any any match any any any permit

 

 

wlan access-rule TQ_GUEST-PREAUTH
index 5
rule 10.220.207.9 255.255.255.255 match any any any src-nat

 

 

 

 

 

 

 

 

does the CPPM have a route back to your client subnet?

I have this issue and I think it is a bug in IE or how the CP redirect is done on IAP, if you use HTTPS with port 443 under your CP profile of your IAP you will see it will work.

I have noticed this behaviour only with the latest IE. You will not see this issue with Firefox or with Chrome when port 80 is configured in IAP.

Thanks for the note. Please open a TAC case so we can track the issue.

All,

 

I have a macbook. tried it with Safari/Chrome 7 firefox. 

 

CPPM has no toute to the guest network, hence the src-nat rule.

 

I fiddled around with 443 & 80, that did not seem to help. i'll try again tomorrow when I'm on site.

 

 

Regards,

 

Leo

 

---

leo.bink@taqaglobal.com wrote:

CPPM has no toute to the guest network, hence the src-nat rule.

---

sure, but it does have one to the the IP the traffic is NATed to?

Hi All,

 

CPPM does have a route to the AP's management address (& the VC address).

 

We performed some wireshark traces (at both ends of the AP) and the AP does not seem to NAT the traffic. the source address is still the guest's machine and not the AP despite the srv-nat rule.

 

- If I let the AP assign IP addresses, it works like a charm. I wiresharked the DHCP offer packet. Nothing strange found.

 

COUNTERINTUITIVE:  >:\

 

- I addedd the CPPM hostname to the walled garden.

- I changed the src-nat rule to base itself on a domain (FQDN in this case) opposed to an ip address.

 

It now seems to work.

 

I will backtrack tomorrow, to see which change actually solved this and report back.

 

Leo