Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

New Captive Portal page generating multiple log in requests per client

This thread has been viewed 0 times

  • 1.  New Captive Portal page generating multiple log in requests per client

    Posted Dec 01, 2016 08:57 AM

    Hi,

     

    I recently implemented a new captive portal page for our guest network.

     

    The captive portal page is built out of a "Web Logins" page and contains a bit of custom code to make the username and password be the same value.

    The user only needs to put in their "user name".

    The user name or ID comes from our Visitor management software used by our receptionist. It is printed on every visitor badge.

     

    During my testing everything was working well. Since putting it into production I am having issues where some clients generate more then one request during the authentication process.

    Request 1:

    2016-12-01_08h44_09.png

    Request 2:

    2016-12-01_08h44_28.png

    As you can see the requests differ quite a bit.

     

    I have not been able to reproduce this behavior myself. What would cause this? Is it an issue with the portal page itself? Is it the client causing this? A configuration on the controller?

     

    What disctates the "NAS-Port-Type" and "Service-Type" and whether or not things like the "Aruba-Port-Id" are included in the radius request?

     

    Sorry, for all the questions. Seems everytime I work with the CPPM and controller it get a big reality check slap in the face that reminds me how little I acually know about both.

     

    Cheers



  • 2.  RE: New Captive Portal page generating multiple log in requests per client

    Posted Dec 02, 2016 12:38 AM

    NAS-Port-Type 15 is Ethernet (wired), Service-Type 17 is Authorize Only

    NAS-Port-Type 19 is Wireless, Service-Type 1 is Login

     

    Do you have a wired switch in the path that is performing some type of authentication?

     

     



  • 3.  RE: New Captive Portal page generating multiple log in requests per client

    Posted Feb 18, 2017 11:04 AM

    Hi rfiler,

     

    I apologize for never replying to this post. I got side tracked onto something else and was never able to get back to looking into this issue. As a quick solution I modifed my service to catch all of the different requests that the ClearPass was seeing.

     

    We currently have all our of Cisco switches configured for 802.1x. The AP's themselves are doing MAC auth (at the moment). All information is sent back to the controller, nothing is terminated on the switches.

     

    The guest request shouldn't be seen by the switch at all (at least this is what I am assuming). Could it be that somehow the AP doing MAC auth is some how interferring with the Guest authentication process?