Security

Reply
Occasional Contributor II
Posts: 12
Registered: ‎05-22-2013

Not redirecting to Captive Portal

Using the Virtual controller on an IAP pointing to CPPM(6.1) for BYOD. Have an employee SSID set up on Instant which points to CPPM and Onboard configured for Captive portal. I cant seem to perform redirection to the Captive portal. The redirection works for my guest SSID and CPPM/Onboard guest portal.  Any pointers much appreciated.

MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Not redirecting to Captive Portal

Have you confirmed its not a DNS resolution issue?
Have you tried using an IP address for redirection?
If the the employee SSID is in a different VLAN than your other SSIDs, does the VLAN on the controller have an IP assigned to it?
=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Occasional Contributor II
Posts: 12
Registered: ‎05-22-2013

Re: Not redirecting to Captive Portal

 

Confirmed its not a dns resolution issue, also tried with IP address.  We are using a single ssid called byod on the Instant AP which maps to an employee role. thanks a bunch

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Not redirecting to Captive Portal

[ Edited ]

BYOD on a Single SSID

Instant OS 3.2 and earlier did not provide the ability to redirect a client to a captive portal page post 802.1X authentication. This limitation required the use of 2 SSIDs: 1) provisioning SSID 2) approved device SSID (802.1X) to provide a complete BY0D solution. In Instant OS 3.3, Aruba introduced the ability to redirect a client to a captive portal page after 802.1X authentication. This new enhancement provides the ability to append a captive portal redirection to a user role. This enhancement coupled with the ability to define a user role based on the EAP authentication type allows the use of a single SSID for a complete BYOD solution. The steps involved in configuring a single SSID for BYOD are these:

  1. Create a user role with captive ported redirection
  2. Create an employee SSID with WPA2_Enterprise authentication
  3. In the employee SSID configuration create a derivation rule that assigns the captive portal user role based on 802.1X authentication type (Ex: EAP-PEAP MSCHAPv2)
  4. Optionally, configure ClearPass to return non-captive user role for users authenticating using EAP-TLS . By default, a user authenticating with an EAP-method other than the one in Step 3 is assigned the default-role for the SSID.

 

STEP 1: Create a user role with captive portal redirection

 

  • Create a new role: byod-enroll

 

  • Create a captive portal access rule

 

 

  • Allow DNS, DHCP to all destinations and HTTP/HTTPS access to ClearPass server.

 

 

 

 

 

STEP 2: Create an Employee SSID

 

  • Configure SSID name and VLAN

 

 

 

 

  • Configure WPA2-Enterprise security on the SSID

 

 

 

STEP 3: Configure the access settings of the SSID with appropriate 802.1X authentication type based derivation rule

 

  • Configure a derivation rule based on the EAP-type. If the user authenticates with PEAP-MACHAPv2 assign the byod-enroll. This will redirect the users to provisioning page.

 

 

 

  • User authenticates with EAP types other the PEAP-MSCHAPv2 will be assigned the default role for the SSID. The provisioning process on ClearPass will install certificates and configure the client's wireless supplicant for EAP-TLS.

 

  • When the client reconnects to the SSID during the final step of the provisioning process it uses EAP-TLS. This will assign the default SSID role to the client.

 

STEP 4: If required configure IAP for server derived rules

 

  • Using the Aruba-User-Role VSA, ClearPass can push user roles to IAP. The accomplish this, the IAP should be configured with the appropriate user role definition ad server derived rule.

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 12
Registered: ‎05-22-2013

Re: Not redirecting to Captive Portal

hi tarnold

 

thank you for your help, unfortunately i cannot see the images as they appear to be on ur internal pages.. prompting me to login

 

please can you send the screenshots by pdf...

 

kind wishes

raj

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Not redirecting to Captive Portal

PDF

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 12
Registered: ‎05-22-2013

Re: Not redirecting to Captive Portal

Thanks you so much

 

The URL redirect now happens but the onboarding does not complete. The IAP sends the following URL format to the CPPM

 

https://<clearpass IP>/guest/device_provisoning.php?cmd=login&mac=xxxxxxxxx&essid=byod&ip=192.......&apname=xxxxxxxx&switchip=securelogin.arubanetworks.com&url=http<original URL>

 

however if I manually go to https://<clearpass IP>/guest/device_provisoning.php/    then I get to the onboarding page. After running through Quick Connect app I get re-provisioned for TLS. 

 

It seems CPPM is expecting only upto "/device_provisioning.php/  and not the other meta data containing the original url

 

i am trying this with Android ICS 4.1.1. 

 

I experienced same issue of non redirection when trying from iPad.(testing without commerical cert )

 

 

 

Aruba
Posts: 1,540
Registered: ‎06-12-2012

Re: Not redirecting to Captive Portal

Did you try it with out https.

 

IOS will not onboard if you have https enabled with no public webserver cert. 

 

Make sure you disable https in CPGuest under "Home » Configuration » Authentication"

 

And in you IAP you use http. 

 

Android will also complain if you tell it to validate the server cert under the provisioning settings.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor II
Posts: 12
Registered: ‎05-22-2013

Re: Not redirecting to Captive Portal

I tried both with & without https  ( Onboard > Config > Authentication >  disabled HTTP for authentication for guest portal )

 

I can get iOS to onboard without https (1st PEAP, then TLS). Android and iOS works fine if i point browser to http://<ip_addr>/guest/device_provisoning.php

 

 

For iOS or Android if I type in a random URL  I can see the redirect trying to happen

 

For example: 

 

1. I enter in browser:  http://www.yahoo.co.in           (dns works)

2. Browser is hijacked and URL shows  <ip of cppm>/guest/device_provisioning.php<followed by mac adress, meta data and the orignal url >

 

but it hangs there and then says the link cannot be reached.

 

Are my 

 Is there an example of configuration on the CPPM services & onboaed side?

 

much thanks

Occasional Contributor II
Posts: 12
Registered: ‎05-22-2013

Re: Not redirecting to Captive Portal

error msg on the redirect attempt is (on android)

 

Webpage not available

 

The webpage at < IP adrress of CPPM  + long url > might be temporarily down or it may have permanently moved to a new web address.

Search Airheads
Showing results for 
Search instead for 
Did you mean: