Security

Hi

 

I am trying to configure the guest and when im trying to connect as a guest, it comes up "failed to cliassify request to service". Error code is 204.

Im going through the services i setup for guest and guest- web login which i created manually. I had to create these manually as i do not have the option for service templates. Can anyone help me locate the service templates so i can setup the services correctly? Or does anyone have any detail on what i need to configure in the services for the guest.

(On the dell clearpass 6.5.5)

Much appreciated.

 

 

Doh, i found out where it is on the Dell version, its under the start here sub menu.

Ive created the 2 guest services, guest web login - application type. guest access radius type. But im still getting the same error, any help please.

The error message indicates you are not matching a service.

You need to compare the attributes on the Service tab of each Service with what is being seen in the actual request. You can see the RADIUS attributes in the Access Tracker.

 

If you are unsure, post an image of the service tab and the entry from the access tracker.

The message "failed to cliassify request to service" means that none of the Services matches on the Matching rules for that service.

How I would approach this is to check the service you'd like/expect to have a match on, and check it's matching rules. Then see the failing request to see its RADIUS attributes, and see where is the mismatch.

It might be that there is a match on the SSID to contain Guest on the services that are created by the wizard; if you use non-Aruba equipment, or a different SSID name, you need to change that.

Hi

 

Thanks for responses. Im not seeing any service be picked up when looking at the request details-

 

 

Here are the services that are setup. (note- i have an iap setup to use a VC but also have airwave managing them. When i setup the guest access, it asked what device im using, would this be the airwave or the iap and then would i need to set this up for each VC?)

 

i dont know if its related to the login page im using, as some docs say to use aruba but i didnt even get the page to load when this was the option. Now its captive portal.

I would leave the vendor settings as Aruba on the web login configuration.

 

With regards to your Guest services, I would think the actual page name is login.php and not just login. I would change the rule to be Contains login and this should account for both.

 

Can you send screenshots of the access tracker entry showing the Input tab with each section expanded.

Thanks

Hi David

Ok, i will change it to use aruba. what should be the IP address of the vendors? Should this be clearpass?

 

Here are the details of input etc, doesnt show anything

 The end host is the mac of the pc testing

thanks

David

That address is usually just securelogin.arubanetworks.com by default and that should be ok for initial set-up.

Change the login page parameter as advised as well and re-test.

 

 

Hi David

 

I have set it to contain login for the service. Then i have also set the login page to use Aruba networks as the vendor settings and the address as securelogin.arubanetworks.com and when i try to login, it comes up "logging in, please wait...". It eventually comes up with Login error. Please retry.

I am not seeing any hits in clearpass access tracker. I only see results when i change the vendor settings to captive portal with clearpass web auth

 

Also to note, im using an access code for authentication. When i enter a code that doesnt exist, it advises that the code isnt correct. when i enter a correct code, it shows loading, then goes back to screen. And there is nothing in the access tracker 

 

Ta

David

If you see 'Logging in', but nothing in the Access Tracker, make sure your controller is configured properly with the ClearPass as RADIUS Server, ClearPass is reachable from the controller, Shared secrets match on Controller and ClearPass.

 

When the Access Tracker does not show anything, check the Event Viewer in ClearPass. It will probably show in YELLOW that there is a request coming in from an unknown client or with an unmatched shared-secret. If there is nothing in Access Tracker, nor in Event viewer, the request is not getting to ClearPass; do double check controller configuration and network (routing/firewalls/filters) between controller and ClearPass.

 

If you are in a hurry to make this work, it may be wise to open a case with support (if it is all Dell, use Dell support; if it is Aruba products, use the Aruba TAC).

 

I have logged a case and spent some time with techs today. Couldnt see find what was stopping it, as no traffic is going to clearpass. Spending some more time with techs tomorrow after doing some port mirrors and looking at the traffic. will advise what we find. thanks

Just an update, worked with Aruba techs and found that when you set the network to virtual controller assigned. See hits in the access tracker and it connects. But when you set the VLAN option, you get an ip address, the login page loads and when you enter the access code, it timesout and laods the page again.nothing in logs. Aruba advised that the issue is with the APs and they are rebadged to Dell so ive had to chase dell. Dell have taken 2 days and im still stuggling to find someone that knows what wireless is.

We resolved the issue after allowing the Virtual controller access to the internet directly. Only the proxy has internet access as well as the clearpass, but for some reason the VC required it to when it was doing the securelogin authentication. See the user details in the access tracker and it works fine now.