Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Problem with Guest authentication

This thread has been viewed 9 times

  • 1.  Problem with Guest authentication

    Posted Sep 16, 2016 05:09 AM

    Hi,

     

    I encountered a strange problem with Guest users on one of the site. To set picture correctly, there are numerous sites running on Aruba WLAN infrastructure (7000 Series controllers) with ClearPass serving Captive Portal for Guest access with MAC Caching.

     

    All is working as expected on all "old" sites. We deployed new site few days ago and users are having problems with authentication.

     

    On sites that are workign OK under Summary->Policy Used we have this:

    Service:
    Guest Access With MAC Caching
    Authentication Method:
    PAP
    Authentication Source:
    Local:localhost
    Authorization Source:
    [Guest User Repository], [Endpoints Repository]
    Roles:
    [Guest], [MAC Caching], [User Authenticated]
    Enforcement Profiles:
    Guest Guest Bandwidth Limit, Guest Guest Do Expire, Guest Guest Expire Post Login, Guest Guest MAC Caching, Guest Guest Session Limit, [Update Endpoint Known], Guest Session Timeout - 10 hours
    Service Monitor Mode:
    Disabled

    On site with problems:

    Service:
    Guest MAC Authentication
    Authentication Method:
    -
    Authentication Source:
    None
    Authorization Source:
    [Insight Repository], Guest MAC-Guest-Check
    Roles:
    [Guest]
    Enforcement Profiles:
    [Deny Access Profile]
    Service Monitor Mode:
    Disabled
    Online Status:
    Not Available

    And Alerts giving:

     

    Error Code:
    216
    Error Category:
    Authentication failure
    Error Message:
    User authentication failed
     Alerts for this Request  
    Policy serverFailed to construct filter=SELECT user_id as guest_device_user FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard') AND (enabled = 't') AND ((expire_time is null) OR (expire_time > CURRENT_TIMESTAMP))).
    Failed to get value for attributes=[UserName].
    Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1.
    Failed to get value for attributes=[Days-Since-Auth, Hours-Since-Auth]
    RADIUS[Endpoints Repository] - localhost: User not found.
    MAC-AUTH: MAC Authentication attempted by unknown client, rejected.

    Endpoints repository obviously has that specific client device marked as "Unknown".

    As issues are manifesting on only one site I checked controller configuration and couldn't see any obvious problem (Server Group is as it should be, Even Viewer on CPPM not showing rejected attempts from that NAS...).

    Hope someone will recognise cause. Thanks.

     

    Regards,

    Alan

     



  • 2.  RE: Problem with Guest authentication

    Posted Sep 16, 2016 08:36 AM

    An update:

     

    I got a device to site to see what is happening. User gets CP displayed as expected, fills in sponsors details, sponsor receives request and approves it, previously greyed out "Login" button is now green, but when user tries to log it is sen to URL "securelogin.arubanetworks.com/cgi-bin/login".

     

    Doing #show datapath session table <IP address of a device> gives me several denied flags (10.134.1.245 is client, 10.17.98.65 is controller):

     

    Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
    --------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
    10.134.1.245    10.109.3.86     17   49152 9061   0/0     0    0   0   tunnel 51   9    0          0          FDYC
    10.17.98.65     10.134.1.245    6    8081  63247  0/0     0    0   0   local       4    0          0          FDYC
    10.134.1.245    10.108.85.24    6    63252 89     0/0     0    0   0   tunnel 51   1    0          0          FDYC
    10.17.98.65     10.134.1.245    6    8081  63251  0/0     0    0   1   tunnel 51   23   6          312        SI
    10.134.1.245    10.109.60.6     6    63251 443    1/4101  0    0   1   tunnel 51   23   3          152        NYCI


    10.134.1.245    239.255.255.250 17   63342 1900   0/0     0    0   0   tunnel 51   b    3          483        FDC

     

    Thanks.

     

    Alan



  • 3.  RE: Problem with Guest authentication

    MVP
    Posted Sep 16, 2016 01:33 PM

    Alan,

     

    securelogins.arubanetworks.com is the address that ClearPass Guest uses to submit the authentication. This address is the Aruba controller. 

     

    Is there any type of firewall between CPPM and the controller? 

     

    In your first post, both requests looked normal. The first (old site) was a user login with mac caching, the second (new site) was the original MAC authentication, which failed because the MAC address did not exist in the Endpoints Database. This is a normal process since the MAC would be unknown on initial request, then after login, updated with Guest credentials.

     

    Are you doing the guest access over HTTP or HTTPS? With recent issues surrounding the "securelogins.arubanetworks.com" certificate, HTTPS may be problematic. If HTTPS, can you try doing it over HTTP and see if anything changes? 

     

    ClearPass Guest

    - Configuration -> Authentication (Uncheck require HTTPS)

    Controller

    - Configuration -> Authentication -> L3 authentication -> Captive portal profile (use HTTP for authentication).



  • 4.  RE: Problem with Guest authentication

    Posted Sep 16, 2016 03:54 PM

    Hi Michael,

     

    Thanks on your reply, and suggestions. Regarding firewalls, they exist between a site and data centre where CPPM resides, and are administered by third party company. I will check what are they permitting/denying, as that can potentially be source of problem.

     

    Secondly, we are using HTTPS, and though I can change it and try again, I guess our problem lies somewhere else as all the other sites are still working happily on HTTPS.

     

    I will be able to update you on Monday.

     

     

     

    Regards,

    AlanFord



  • 5.  RE: Problem with Guest authentication
    Best Answer

    EMPLOYEE
    Posted Sep 19, 2016 12:10 PM

    Please make sure that you changed the captive portal certificate on the controller. The mentioned securelogin.arubanetworks.com was revoked recently and this may be related to your issue, or if it isn't an issue right it will be one probably.

     

    Check out this page: http://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

     

    Before investigating deeper, make sure you are not struck by this problem.



  • 6.  RE: Problem with Guest authentication

    Posted Oct 06, 2016 04:21 AM

    Hi Herman,

     

    With a bit of delay thanks for suggesting cert route (as well as mharing who did the same thing), as that proved to be root cause of our problem!

     

    My guess is that as this site was provisioned couple of days after cert revocation by GeoTrust none of the users were able to use service (though that was limited to smart phone/tablet users, but not to Windows based laptops), while on the sites provisioned before problem was not so widespread.

     

    Great response from Airheads community again, thanks.

     

     

    Regards,

    AlanFord