Security

All,

 

We are having issues with the clearpass portal page redirect when using wired-authentication.  When we plug in a PC to the switchport and open a browser we don't get a redirect to the clearpass portal page.  If I manually type in the redirect, i can get to the page fine.  I figure if I pop a browser it should take me there automatically.  Any suggestions are appreciated.

 

Thanks,

 

Bill

Can you share the Enforcement Profile you are sending back to the switch?   Specifically the Cisco-AVPair response attributes.

 

Also, make sure you have http and https enabled on the switch:

ip http server

ip http secure-server

Hi clembo,

 

ip http server and ip http secure-server are in the switch config.

 

Here's the enforcement profile we are sending back.

 

 

     

 

Does Access Tracker show the proper RADIUS response and attributes returned on the Output tab?

 

What does the following show for the port you are plugged into.  Does it show the proper URL Redirect and ACL?

show authentication sessions interface <interface>

 

Also, what does your CPG ACL look like?

 

One more thing, what IOS version is on the switch?  

Here's the IOS version.

 

Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9-M), Version 12.2(55)SE8,                                                                              RELEASE SOFTWARE (fc2)

CPG ACL is below.  The 10.1.1.1 being the clearpass IP.

 

!
ip access-list extended CPG
 deny   tcp any host 216.68.1.100
 deny   tcp any host 216.68.2.100
 deny   tcp any host 10.1.1.1
 deny   tcp any host 10.2.2.2
 permit tcp any any

 

I will get you the access tracker and sh auth sessions info here shortly.

Access Tracker info:

 

Enforcement Profiles:	POC Cisco redirect
System Posture Status:	UNKNOWN (100)
Audit Posture Status:	UNKNOWN (100)
-RADIUS Response Radius:Cisco:Cisco-AVPair url-redirect-acl=CPG Radius:Cisco:Cisco-AVPair url-redirect=https://10.1.1.1/guest/poc_wired_login.php?mac=00:18:8b:b9:0c:bb

 

 

dtnsa-5-lab-9#sh authentication sessions int g1/0/12
            Interface:  GigabitEthernet1/0/12
          MAC Address:  0018.8bb9.0cbb
           IP Address:  10.237.75.46
            User-Name:  00188bb90cbb
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
           Vlan Group:  N/A
         URL Redirect:  https://10.1.1.1/guest/poc_wired_login.php?mac=00:18:8b:b9:0c:bb
     URL Redirect ACL:  CPG
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0AC700E60000002333D9E98D
      Acct Session ID:  0x0000003E
               Handle:  0x35000023

Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

 

I don't see anything obvious with your results.   It looks like ClearPass is sending the proper attributes and the switch is setting them for hte port.   Can you show the configuration for the port itself please?

Try this link.

 

https://afp.arubanetworks.com/afp/index.php/Cisco_Wired_Guest_for_ClearPass_6.2.1_and_greater

 

there are a couple verification commands in the trouble shooting area and I added some on the bottom for DACLs that will help you trouble your config

 

!
aaa new-model
!
!
aaa authentication dot1x default group radius local
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
!
!
aaa server radius dynamic-author
 client 10.80.2.100 server-key XXXXXXXX
 client 10.80.2.106 server-key XXXXXXXX
 client 10.80.2.107 server-key XXXXXXXX
 port 3799
 auth-type all
!
!
interface FastEthernet1/0/18
 switchport access vlan 200
 switchport mode access
 switchport voice vlan 50
 authentication event no-response action authorize vlan 400
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 20
 dot1x timeout supp-timeout 20
 dot1x max-reauth-req 1
 no mdix auto
 spanning-tree portfast trunk
!
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface Vlan1
 ip address 10.80.2.5 255.255.255.0
 ip helper-address 10.80.2.254
 ip helper-address 10.80.2.100
 no ip route-cache
 no ip mroute-cache
!
interface Vlan400
 description "quarantine_vlan"
 ip address 10.0.4.5 255.255.255.0
 ip helper-address 10.80.2.254
 ip helper-address 10.80.2.100
 no ip route-cache
 no ip mroute-cache
 shutdown
!
ip default-gateway 10.80.2.1
ip classless
ip http server
ip http secure-server
!
ip access-list extended cplab
 deny   tcp any host 10.80.2.100
 permit tcp any any
ip access-list extended default_acl
 permit ip any any
ip access-list extended guest
 deny   tcp any host 10.80.2.100
 deny   tcp any host 10.80.2.106
 deny   tcp any host 10.80.2.107
 permit tcp any any
!

 

Hello guys, I have similar problem with wired web-auth (as decribed here), but the link you provided "https://afp.arubanetworks.com/afp/index.php/Cisco_Wired_Guest_for_ClearPass_6.2.1_and_greater" requires authorization

 

Which credentials should I use in order to open it?

 

thanks

You will need to set up a partner account.


https://arubanetworkskb.secure.force.com/prm/

Hello,

 

I did everything as described there (https://arubanetworkskb.secure.force.com/prm/), everything works fine, but I have some trouble with Guest application iteraction: when guest expires, there is no feedback from Guest App (i.e. no PoD/CoA sent to switch => sessions remain active even with expired account) while if I do manual "disconnect" from Guest->Active sessions - it works. 

 

In order to make username "visible" for Guest App, I did one trick (described here: https://afp.arubanetworks.com/afp/index.php/How-To:_Return_username_for_MAC_Auth), therefore now Guest App is aware of username of the session, but still no action is performed during account expiration.

 

In attachement - export of 2 services, needed for centralized web-auth (.xml)

 

What did I do wrong?

 

Thanks in advance

Alex,

 

Can you re-add the link of the guide you followed. The link you provided just takes you to the login page.

 

Just a couple things.

 

1. What version of CPPM

2. Switch Model, and FIrmware

2. Is insight enabled

3. Under Administration » Server Manager » Server Configuration. Click on the server, go to service parameters, Radius, and scroll to     the bottom and make sure accounting is set to true. 

 

Hi,

 

Sorry, I gave wrong link, here is correct:

 

https://afp.arubanetworks.com/afp/index.php/Cisco_Wired_Guest_for_ClearPass_6.2.1_and_greater

 

CPPM - 6.2.4
switch - catalyst 3750-x IOS 12.2(55)SE3
Insight - enabled, though I don't use this database in my case (I use endpoint repository - for MAB, guest DB - for Web auth)
Radius accounting - enabled

Guys, this task is very important for me (I'm doing R&D about ClearPass for one big company), 

 

Any suggestion about ?

Alex,

I'm traveling at the moment and haven't had time to look at your issue. Can you send me a private message with your contact info and I will have a CP se contact you

Here's the config of the port itself.

 

!
interface GigabitEthernet1/0/12
 switchport access vlan 75
 switchport mode access
 ip access-group default in
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 3
 dot1x timeout supp-timeout 5
 spanning-tree portfast
end

What type of portal page are you using for this? I was able to "guest self register" but how to make it authenticate with AD?

Alex,

In your mac-auth enforcement profile. What do you have set for the session-timer. This should be a variable in the number of seconds you want client to re-auth. All based on when the guests account expires.

This is another authentication source that you would use as an authorization source. To calculate time remaining on clients device.


Does this sound correct?

Hi,

 

I have set session timeout for 30 min (static value) - as possible workaround, since it's impossible to extract %{remailning time} for Guest account from Endpoint database (I use it for MAB) - there is no such field there.

 

Even if I add Guest DB as authentication/authorization source for MAB service, and use [Post Auth profiles] - no result, logs from access tracer show: "Failed to get these values"

 

Remaining time - is good idea, hovewer, this is also static value (computed at the moment of guest login), and I need some explicit dynamic mechanism (like CoA) - for example, when you change expiration time for account while session is active, and so on.

In the supplied link from tarnold - how is the computer placed in the Computer role?

 

There is some holes in there that mess things up for me so any clarification for all the points would be awsome.

I don't use such role in my case. CPPM returns redirect-url + redirect ACL on MAB failure, otherwise (Endpoint = known) - simple allow policy. 

Classification is OK

 

I attached screenshots for used services (MAB+WEB)

Could you also post the summary pages for the Services used?

here they are

Alex,

 

You have to set-up an authorization service that runs an SQL query against the  tips_guest_users database. like the one seen below then from here you would use something like this in the value of the enforment policy

%{Authorization:[MAC-Guest-Check]:RemainingExpiration}

 

auth source name "MAC-Guest-Check"

 

SELECT user_id as guest_device_user , CASE WHEN enabled = FALSE THEN 225 WHEN
((start_time > now()) OR ((expire_time is not null) AND (expire_time <=
now()))) THEN 226 WHEN approval_status != 'Approved' THEN 227 ELSE 0 END AS
Account_Status, sponsor_name, CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS
INTEGER) AS remaining_expiration FROM tips_guest_users WHERE ((guest_type =
'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard') AND
(enabled = 't') AND ((expire_time is null) OR (expire_time >
CURRENT_TIMESTAMP)))

 

* this is from a CPPM Guest template.

 

if you extended the time of the user they would just reauthenticate. if you shorten the account time the device would have to be COA somehow to get the new timeout value.

 

 

Thanks a lot for your reply, but unfortunately, I'm not familiar with SQL

 

I have found, that my Catalyst 3750-x  IOS 12.2(55)SE3, processed URL-redirect attribute incorrectly (didn't append "mac=..." part)

 

I changed IOS code verison to 15.2, now url-redirect works OK, but this hasn't solved the problem, even more - now I see several active sessions (as MAB and as username), automatic disconnect (at expiration time) doesn't work

 

I tried to use different MAC format in redirect-url (.php?mac=%{----   Colon/Dot/NoDelim/Hyphen}), but still no result

In attachement - output from Guest->actie sessions

 

Here is log output from access-tracer (web-auth service):

 

Request log details for session: W00000029-01-52d7baae

Time Message

2014-01-16 12:55:42,959	[RequestHandler-1-0x7fe522df6700 r=psauto-1389430421-645 h=79 r=W00000029-01-52d7baae] INFO Core.ServiceReqHandler - Service classification result = Cisco WEB guest policy
2014-01-16 12:55:42,979	[RequestHandler-1-0x7fe522df6700 r=psauto-1389430421-646 h=83 r=W00000029-01-52d7baae] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:NAD-IP-Address is not found
2014-01-16 12:55:42,980	[RequestHandler-1-0x7fe522df6700 r=psauto-1389430421-646 h=83 r=W00000029-01-52d7baae] INFO Common.EndpointTable - Returning EndpointSPtr for macAddr 001560bc07a8
2014-01-16 12:55:42,980	[RequestHandler-1-0x7fe522df6700 r=psauto-1389430421-646 h=83 r=W00000029-01-52d7baae] INFO Common.GuestUserTable - Returning GuestUserSPtr for user ID asd@asd.com
2014-01-16 12:55:42,980	[RequestHandler-1-0x7fe522df6700 r=psauto-1389430421-646 h=83 r=W00000029-01-52d7baae] INFO Common.TagDefinitionCacheTable - No TagDefCacheMap could be found for instance id = 0 entity id = 29
2014-01-16 12:55:42,980	[RequestHandler-1-0x7fe522df6700 r=psauto-1389430421-646 h=83 r=W00000029-01-52d7baae] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0
2014-01-16 12:55:42,980	[RequestHandler-1-0x7fe522df6700 r=psauto-1389430421-646 h=83 r=W00000029-01-52d7baae] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=0|entity=Device
2014-01-16 12:55:42,980	[RequestHandler-1-0x7fe522df6700 r=psauto-1389430421-646 h=83 r=W00000029-01-52d7baae] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2014-01-16 12:55:42,980	[RequestHandler-1-0x7fe522df6700 r=psauto-1389430421-646 h=83 r=W00000029-01-52d7baae] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2014-01-16 12:55:42,980	[RequestHandler-1-0x7fe522df6700 h=4267 c=W00000029-01-52d7baae] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_SOAP_WEBAUTH Started ***
2014-01-16 12:55:42,981	[RequestHandler-1-0x7fe522df6700 h=4268 c=W00000029-01-52d7baae] WARN REC.EvaluatorCtx - Prerequisites set is empty, not populating the Request Map
2014-01-16 12:55:42,983	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4269 c=W00000029-01-52d7baae] INFO Common.GuestUserTable - Returning GuestUserSPtr for user ID asd@asd.com
2014-01-16 12:55:42,983	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4269 c=W00000029-01-52d7baae] INFO Core.PETaskRoleMapping - Roles: Guest], User Authenticated]
2014-01-16 12:55:42,986	[RequestHandler-1-0x7fe522df6700 h=4272 c=W00000029-01-52d7baae] INFO Core.PETaskEnforcement - EnfProfiles: Guest MAC Caching, Guest Session Limit, Guest Do Expire, Guest Expire Post Login, Cisco - Terminate Session]
2014-01-16 12:55:42,987	[RequestHandler-1-0x7fe522df6700 h=4277 c=W00000029-01-52d7baae] INFO Core.PETaskGenericEnfProfileBuilder - getApplicableProfiles: No App enforcement (Generic) profiles applicable for this device
2014-01-16 12:55:42,988	[RequestHandler-1-0x7fe522df6700 h=4273 c=W00000029-01-52d7baae] ERROR Common.AppEnfProfileTable - getAppType: Failed for id=3005
2014-01-16 12:55:42,988	[RequestHandler-1-0x7fe522df6700 h=4273 c=W00000029-01-52d7baae] ERROR Common.AppEnfProfileCacheTable -
2014-01-16 12:55:42,988	[RequestHandler-1-0x7fe522df6700 h=4273 c=W00000029-01-52d7baae] ERROR Common.AppEnfProfileTable - getAppType: Failed for id=3006
2014-01-16 12:55:42,988	[RequestHandler-1-0x7fe522df6700 h=4273 c=W00000029-01-52d7baae] ERROR Common.AppEnfProfileCacheTable -
2014-01-16 12:55:42,988	[RequestHandler-1-0x7fe522df6700 h=4273 c=W00000029-01-52d7baae] ERROR Common.AppEnfProfileTable - getAppType: Failed for id=3003
2014-01-16 12:55:42,988	[RequestHandler-1-0x7fe522df6700 h=4273 c=W00000029-01-52d7baae] ERROR Common.AppEnfProfileCacheTable -
2014-01-16 12:55:42,988	[RequestHandler-1-0x7fe522df6700 h=4273 c=W00000029-01-52d7baae] ERROR Common.AppEnfProfileTable - getAppType: Failed for id=3004
2014-01-16 12:55:42,988	[RequestHandler-1-0x7fe522df6700 h=4273 c=W00000029-01-52d7baae] ERROR Common.AppEnfProfileCacheTable -
2014-01-16 12:55:42,989	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4275 c=W00000029-01-52d7baae] INFO Core.PETaskRadiusCoAEnfProfileBuilder - Radius_CoA enfProfiles used: Cisco - Terminate Session]
2014-01-16 12:55:42,989	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4275 c=W00000029-01-52d7baae] INFO Core.PETaskRadiusCoAEnfProfileBuilder - UnknownAutzParams to fetch for RadiusCoAEnfProfiles: :
2014-01-16 12:55:42,989	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4275 c=W00000029-01-52d7baae] INFO Core.PETaskRadiusCoAEnfProfileBuilder - UnknownNAutzParams to fetch for RadiusCoAEnfProfiles: : Radius:IETF:Calling-Station-Id
2014-01-16 12:55:42,989	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4275 c=W00000029-01-52d7baae] WARN Util.ParameterizedString - getReplacedStrings: Failed to replace parameString =%{Radius:IETF:Calling-Station-Id}, error=No values for param=Radius:IETF:Calling-Station-Id
2014-01-16 12:55:42,990	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4275 c=W00000029-01-52d7baae] ERROR Core.PETaskRadiusCoAEnfProfileBuilder - addParamsFromParameterizedProfile: Failed to find finalValue for name= Radius:IETF:Calling-Station-Id value = %{Radius:IETF:Calling-Station-Id}. Searching attributes from battery
2014-01-16 12:55:42,990	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4276 c=W00000029-01-52d7baae] INFO Core.PETaskPostAuthEnfProfileBuilder - Post auth enforcement profiles used: Guest MAC Caching, Guest Session Limit, Guest Do Expire, Guest Expire Post Login
2014-01-16 12:55:42,990	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4276 c=W00000029-01-52d7baae] INFO Core.PETaskPostAuthEnfProfileBuilder - UnknownAutzParams to fetch for PostAuthEnfProfiles: :
2014-01-16 12:55:42,990	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4276 c=W00000029-01-52d7baae] INFO Core.PETaskPostAuthEnfProfileBuilder - UnknownNAutzParams to fetch for PostAuthEnfProfiles: :
2014-01-16 12:55:42,997	[RequestHandler-1-0x7fe522df6700 h=4278 c=W00000029-01-52d7baae] INFO Core.PETaskCliEnforcement - startHandler: No commands for CLI enforcement
2014-01-16 12:55:43,007	[RequestHandler-1-0x7fe522df6700 h=4280 c=W00000029-01-52d7baae] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2014-01-16 12:55:43,010	[RequestHandler-1-0x7fe522df6700 h=4279 c=W00000029-01-52d7baae] INFO Core.PolicyResCollector - getSohr: Failed to generate Sohr
2014-01-16 12:55:43,010	[RequestHandler-1-0x7fe522df6700 r=W00000029-01-52d7baae h=4267 c=W00000029-01-52d7baae] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_SOAP_WEBAUTH Completed ***