Security

Reply
Regular Contributor I

Problems with Instant and Clearpass CP redirect

Hi community,

 

we have a strange problem with our Instant and Clearpass.

We canged the https certificate of our CP to an public certificate, so our guest should not have this certificate issu.

The certificate was issued for portal.domain.de so we insert the Host to our dns server.

In the preauth role dns is allowed to all.

We changed in the Instant VC the captive portal profile from the ip to the dns name portal.domain.de, but the redirct don´t work for your guests.

the guests get 404 site not found with the ip 172.31.98.1 in the browsers address bar.

Is this a problem with the IAP dns redirection?

How can I change this?

 

Thanks

MVP

Re: Problems with Instant and Clearpass CP redirect

Hello!

In your pre-auth role you allow traffic towards that domain?

Log on to the IAP console and verify that a a ping towards the domain-name results in a successfull lookup.

 

Also - have you changed login settings to imply https on Clearpass? And the settings on the IAP? Not relevant to the redirect issue, but just curious ;)


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Regular Contributor I

Re: Problems with Instant and Clearpass CP redirect

Hi,

I´ve found something in the instant user guide, this works for me in my test instant ap.

I go to instant console:

conf t

internal-domains

domain-name *

end

commit apply

 

in my test IAP this works fine, in my productive iap cluster the problem is the same... 404 site not found. and the ip 172.31.98.1 in the browser bar...

 

Re: Problems with Instant and Clearpass CP redirect

Hey, if you have a client in the pre-auth role, are they able to resolve the DNS name to the IP address of the CPPM?

ACMA, ACMP
If my post addresses your query, give kudos:)
MVP

Re: Problems with Instant and Clearpass CP redirect

There is bound to be differences from your lab to production. Set the side-by-side and verify those differences in the configuration, and make sure that clients are able to resolve the DNS correctly. And just to be sure - you haven't installed the same certificate (which you installed on Clearpass) as a captive portal certificate on the IAP?

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Regular Contributor I

Re: Problems with Instant and Clearpass CP redirect

Yes I think I have installed the Same certificate on IAP CP as on Clearpass. Is there a problem?
MVP

Re: Problems with Instant and Clearpass CP redirect

Is it a wildcard certificate or bound to a FQDN?

 

If you have a certificate with FQDN installed on the IAP and selected that as Captive Portal profile, the IAP will consider that domain-name as it's own regardless if it's public resolvable or not.. Just like "instant.arubanetworks.com" and "securelogin.arubanetworks.com". So that is why you there are redirected to the VC default guest-vlan IP..

 

If you can do server-initiated login that would eliminate the need for a captive portal SSL-certificate on the IAP. Requirement for this is Radius CoA from Clearpass to the Instant.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Regular Contributor I

Re: Problems with Instant and Clearpass CP redirect

ok, I think this is the problem, I ve uploaded the fqdn certificate to the instant. Where can I download the original instant.arubanetworks.com certificate, to restore it on the instant?

MVP

Re: Problems with Instant and Clearpass CP redirect

Think it's through CLI

Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: