09-16-2016 02:08 AM
I encountered a strange problem with Guest users on one of the site. To set picture correctly, there are numerous sites running on Aruba WLAN infrastructure (7000 Series controllers) with ClearPass serving Captive Portal for Guest access with MAC Caching.
All is working as expected on all "old" sites. We deployed new site few days ago and users are having problems with authentication.
On sites that are workign OK under Summary->Policy Used we have this:
Guest Access With MAC Caching
[Guest User Repository], [Endpoints Repository]
[Guest], [MAC Caching], [User Authenticated]
Guest Guest Bandwidth Limit, Guest Guest Do Expire, Guest Guest Expire Post Login, Guest Guest MAC Caching, Guest Guest Session Limit, [Update Endpoint Known], Guest Session Timeout - 10 hours
|Service Monitor Mode:|
On site with problems:
Guest MAC Authentication
[Insight Repository], Guest MAC-Guest-Check
[Deny Access Profile]
|Service Monitor Mode:|
And Alerts giving:
User authentication failed
| Alerts for this Request |
Endpoints repository obviously has that specific client device marked as "Unknown".
As issues are manifesting on only one site I checked controller configuration and couldn't see any obvious problem (Server Group is as it should be, Even Viewer on CPPM not showing rejected attempts from that NAS...).
Hope someone will recognise cause. Thanks.
Solved! Go to Solution.
09-16-2016 05:35 AM
I got a device to site to see what is happening. User gets CP displayed as expected, fills in sponsors details, sponsor receives request and approves it, previously greyed out "Login" button is now green, but when user tries to log it is sen to URL "securelogin.arubanetworks.com/cgi-bin/login".
Doing #show datapath session table <IP address of a device> gives me several denied flags (10.134.1.245 is client, 10.17.98.65 is controller):
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------
10.134.1.245 10.109.3.86 17 49152 9061 0/0 0 0 0 tunnel 51 9 0 0 FDYC
10.17.98.65 10.134.1.245 6 8081 63247 0/0 0 0 0 local 4 0 0 FDYC
10.134.1.245 10.108.85.24 6 63252 89 0/0 0 0 0 tunnel 51 1 0 0 FDYC
10.17.98.65 10.134.1.245 6 8081 63251 0/0 0 0 1 tunnel 51 23 6 312 SI
10.134.1.245 10.109.60.6 6 63251 443 1/4101 0 0 1 tunnel 51 23 3 152 NYCI
10.134.1.245 22.214.171.124 17 63342 1900 0/0 0 0 0 tunnel 51 b 3 483 FDC
09-16-2016 10:32 AM
securelogins.arubanetworks.com is the address that ClearPass Guest uses to submit the authentication. This address is the Aruba controller.
Is there any type of firewall between CPPM and the controller?
In your first post, both requests looked normal. The first (old site) was a user login with mac caching, the second (new site) was the original MAC authentication, which failed because the MAC address did not exist in the Endpoints Database. This is a normal process since the MAC would be unknown on initial request, then after login, updated with Guest credentials.
Are you doing the guest access over HTTP or HTTPS? With recent issues surrounding the "securelogins.arubanetworks.com" certificate, HTTPS may be problematic. If HTTPS, can you try doing it over HTTP and see if anything changes?
- Configuration -> Authentication (Uncheck require HTTPS)
- Configuration -> Authentication -> L3 authentication -> Captive portal profile (use HTTP for authentication).
Michael Haring | Senior Network Engineer
Comm Solutions, an Optiv Security Company
www.commsolutions.com | www.optiv.com
09-16-2016 12:54 PM
Thanks on your reply, and suggestions. Regarding firewalls, they exist between a site and data centre where CPPM resides, and are administered by third party company. I will check what are they permitting/denying, as that can potentially be source of problem.
Secondly, we are using HTTPS, and though I can change it and try again, I guess our problem lies somewhere else as all the other sites are still working happily on HTTPS.
I will be able to update you on Monday.
09-19-2016 09:10 AM
Please make sure that you changed the captive portal certificate on the controller. The mentioned securelogin.arubanetworks.com was revoked recently and this may be related to your issue, or if it isn't an issue right it will be one probably.
Before investigating deeper, make sure you are not struck by this problem.
If you have urgent issues, please contact your Aruba partner or Aruba TAC.
10-06-2016 01:20 AM
With a bit of delay thanks for suggesting cert route (as well as mharing who did the same thing), as that proved to be root cause of our problem!
My guess is that as this site was provisioned couple of days after cert revocation by GeoTrust none of the users were able to use service (though that was limited to smart phone/tablet users, but not to Windows based laptops), while on the sites provisioned before problem was not so widespread.
Great response from Airheads community again, thanks.