Security

Reply
Contributor II
Posts: 40
Registered: ‎05-17-2016

Problem with Guest authentication

Hi,

 

I encountered a strange problem with Guest users on one of the site. To set picture correctly, there are numerous sites running on Aruba WLAN infrastructure (7000 Series controllers) with ClearPass serving Captive Portal for Guest access with MAC Caching.

 

All is working as expected on all "old" sites. We deployed new site few days ago and users are having problems with authentication.

 

On sites that are workign OK under Summary->Policy Used we have this:

Service:
Guest Access With MAC Caching
Authentication Method:
PAP
Authentication Source:
Local:localhost
Authorization Source:
[Guest User Repository], [Endpoints Repository]
Roles:
[Guest], [MAC Caching], [User Authenticated]
Enforcement Profiles:
Guest Guest Bandwidth Limit, Guest Guest Do Expire, Guest Guest Expire Post Login, Guest Guest MAC Caching, Guest Guest Session Limit, [Update Endpoint Known], Guest Session Timeout - 10 hours
Service Monitor Mode:
Disabled

On site with problems:

Service:
Guest MAC Authentication
Authentication Method:
-
Authentication Source:
None
Authorization Source:
[Insight Repository], Guest MAC-Guest-Check
Roles:
[Guest]
Enforcement Profiles:
[Deny Access Profile]
Service Monitor Mode:
Disabled
Online Status:
Not Available

And Alerts giving:

 

Error Code:
216
Error Category:
Authentication failure
Error Message:
User authentication failed
 Alerts for this Request  
Policy serverFailed to construct filter=SELECT user_id as guest_device_user FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard') AND (enabled = 't') AND ((expire_time is null) OR (expire_time > CURRENT_TIMESTAMP))).
Failed to get value for attributes=[UserName].
Failed to construct filter=SELECT FLOOR(EXTRACT(EPOCH FROM (NOW() - timestamp)))::integer AS seconds_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/60)::integer AS minutes_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/3600)::integer AS hours_since_auth, FLOOR((EXTRACT(EPOCH FROM (NOW() - timestamp)))/86400)::integer AS days_since_auth FROM auth WHERE auth.timestamp < NOW() AND auth.error_code = 0 AND auth.username = '%{Endpoint:Username}' AND auth.mac = '%{Connection:Client-Mac-Address-NoDelim}' AND auth.auth_status != 'MAB' ORDER BY timestamp DESC LIMIT 1.
Failed to get value for attributes=[Days-Since-Auth, Hours-Since-Auth]
RADIUS[Endpoints Repository] - localhost: User not found.
MAC-AUTH: MAC Authentication attempted by unknown client, rejected.

Endpoints repository obviously has that specific client device marked as "Unknown".

As issues are manifesting on only one site I checked controller configuration and couldn't see any obvious problem (Server Group is as it should be, Even Viewer on CPPM not showing rejected attempts from that NAS...).

Hope someone will recognise cause. Thanks.

 

Regards,

Alan

 

Kind regards,
AlanFord
Contributor II
Posts: 40
Registered: ‎05-17-2016

Re: Problem with Guest authentication

An update:

 

I got a device to site to see what is happening. User gets CP displayed as expected, fills in sponsors details, sponsor receives request and approves it, previously greyed out "Login" button is now green, but when user tries to log it is sen to URL "securelogin.arubanetworks.com/cgi-bin/login".

 

Doing #show datapath session table <IP address of a device> gives me several denied flags (10.134.1.245 is client, 10.17.98.65 is controller):

 

Source IP       Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
10.134.1.245    10.109.3.86     17   49152 9061   0/0     0    0   0   tunnel 51   9    0          0          FDYC
10.17.98.65     10.134.1.245    6    8081  63247  0/0     0    0   0   local       4    0          0          FDYC
10.134.1.245    10.108.85.24    6    63252 89     0/0     0    0   0   tunnel 51   1    0          0          FDYC
10.17.98.65     10.134.1.245    6    8081  63251  0/0     0    0   1   tunnel 51   23   6          312        SI
10.134.1.245    10.109.60.6     6    63251 443    1/4101  0    0   1   tunnel 51   23   3          152        NYCI


10.134.1.245    239.255.255.250 17   63342 1900   0/0     0    0   0   tunnel 51   b    3          483        FDC

 

Thanks.

 

Alan

Kind regards,
AlanFord
Super Contributor I
Posts: 320
Registered: ‎05-09-2013

Re: Problem with Guest authentication

Alan,

 

securelogins.arubanetworks.com is the address that ClearPass Guest uses to submit the authentication. This address is the Aruba controller. 

 

Is there any type of firewall between CPPM and the controller? 

 

In your first post, both requests looked normal. The first (old site) was a user login with mac caching, the second (new site) was the original MAC authentication, which failed because the MAC address did not exist in the Endpoints Database. This is a normal process since the MAC would be unknown on initial request, then after login, updated with Guest credentials.

 

Are you doing the guest access over HTTP or HTTPS? With recent issues surrounding the "securelogins.arubanetworks.com" certificate, HTTPS may be problematic. If HTTPS, can you try doing it over HTTP and see if anything changes? 

 

ClearPass Guest

- Configuration -> Authentication (Uncheck require HTTPS)

Controller

- Configuration -> Authentication -> L3 authentication -> Captive portal profile (use HTTP for authentication).

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Contributor II
Posts: 40
Registered: ‎05-17-2016

Re: Problem with Guest authentication

Hi Michael,

 

Thanks on your reply, and suggestions. Regarding firewalls, they exist between a site and data centre where CPPM resides, and are administered by third party company. I will check what are they permitting/denying, as that can potentially be source of problem.

 

Secondly, we are using HTTPS, and though I can change it and try again, I guess our problem lies somewhere else as all the other sites are still working happily on HTTPS.

 

I will be able to update you on Monday.

 

 

 

Regards,

AlanFord

Kind regards,
AlanFord
Aruba Employee
Posts: 370
Registered: ‎11-04-2011

Re: Problem with Guest authentication

Please make sure that you changed the captive portal certificate on the controller. The mentioned securelogin.arubanetworks.com was revoked recently and this may be related to your issue, or if it isn't an issue right it will be one probably.

 

Check out this page: http://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

 

Before investigating deeper, make sure you are not struck by this problem.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
Contributor II
Posts: 40
Registered: ‎05-17-2016

Re: Problem with Guest authentication

Hi Herman,

 

With a bit of delay thanks for suggesting cert route (as well as mharing who did the same thing), as that proved to be root cause of our problem!

 

My guess is that as this site was provisioned couple of days after cert revocation by GeoTrust none of the users were able to use service (though that was limited to smart phone/tablet users, but not to Windows based laptops), while on the sites provisioned before problem was not so widespread.

 

Great response from Airheads community again, thanks.

 

 

Regards,

AlanFord

Kind regards,
AlanFord
Search Airheads
Showing results for 
Search instead for 
Did you mean: