Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

This thread has been viewed 4 times

  • 1.  Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    Posted Apr 22, 2015 03:05 PM

    Just curious if this is even possible.

     

    I am in the process of deploying, and found out the client has no PEFNG licenses.  I cannot use User Roles since the PEFNG is required for that.  I have the re-direct working, but it looks like it never passes on anything other than a MAC Auth to the clearpass server.

     

    Thanks.



  • 2.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    EMPLOYEE
    Posted Apr 22, 2015 03:07 PM

    Yes, this is definitely possible.

     

    Did you configure the RADIUS server for the L3 Captive Portal Profile to point to ClearPass and enable User Login on the Captive Portal Profile?

     



  • 3.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    Posted Apr 22, 2015 03:22 PM

    I configured the layer 3 portal and it does redirect me to the page.  The whole flow on the guest side of clearpass looks fine.  I never see any other entry in Access tracker after submitting though.



  • 4.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    EMPLOYEE
    Posted Apr 22, 2015 03:25 PM

    And you checked that User Login was enabled in the Captive Portal profile?

     



  • 5.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    Posted Apr 22, 2015 03:29 PM
      |   view attached

    correct, it has user login checked.



  • 6.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    EMPLOYEE
    Posted Apr 22, 2015 03:36 PM

    Ok, that looks good.

     

    What about the Server Group for that Captive Portal profile?

     

    Screen Shot 2015-04-22 at 3.32.17 PM.png



  • 7.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    Posted Apr 22, 2015 03:40 PM

    It points to the Clearpass server group, and the clearpass server is in that group.

     

    I have also tested the Server group itself with an 802.1X SSID point to it. 



  • 8.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?
    Best Answer

    EMPLOYEE
    Posted Apr 22, 2015 03:47 PM

    A couple things to check...

     

    1. Do you see anything of interest in CPPM->Monitoring->Even Viewer?

    2. In CPG, Under the Guest Self Reg page you are using, check the NAS Login settings. They should be set to Aruba. If you ever changed your certificate on your controller, then you will need to change the IP Address listed from securelogin.arubanetworks.com to whatever the cert was that you put on your controller. Or for testing with a single controller, you could set this to the IP address of the controller on the Guest VLAN.

     



  • 9.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    Posted Apr 22, 2015 03:50 PM

    Now without the PEFNG licenses, I cannot push down Aruba User roles can I?  I know that I cannot create them in the controller.



  • 10.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    EMPLOYEE
    Posted Apr 22, 2015 03:57 PM

    Correct. You cannot use user roles. Just send an Allow Access profile for successful Guest Auth. Then the user will get the guest role.

     

    You will need to make the same change for the MAC caching service. Just pass Allow Access enforcement profile for successful auth.

     



  • 11.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    Posted Apr 22, 2015 04:03 PM

    That was it, they changed their cert.  I updated to what they changed their cert to and it started working.  Thanks for all the help!



  • 12.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    EMPLOYEE
    Posted Apr 22, 2015 03:09 PM
    Yes. Does your MAC-auth service fail through to return the guest-login role?


    Thanks,
    Tim


  • 13.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    EMPLOYEE
    Posted Apr 22, 2015 03:15 PM

    I think what Tim means here is that your MAC Caching service should be deny access by default so that the guest user gets the default AAA profile (Captive Portal profile) when they first connect.

     

    So, you should see MAC Auth failure on the first connection attempt.

     



  • 14.  RE: Is it possible to deploy clearpass guest on an Aruba controller without PEFNG licenses?

    Posted Apr 22, 2015 03:26 PM

    That is correct, I get a MAC Auth failure first.