Security

Setting up a open-ssid to captive portal to a landing page. 

The landing page has links for guest self-registration, for existing guest/campus users to authenticate

 

I had this working a while ago on a previous cppm version - wating for summer to deply

 

Appears Clearpass 6.3 changed things....  rebuilt my clearpass config using ASE tool

I have it working on my test controller - then I when to copy user-roles - aaa profiles and acl's to another controller....I have problems.

 

 I get redirected to landing page - can follow links.  Auth screen comes up I can auth/self-register - but I'm not getting redirected to the specified page after login or put into the appropriate group on the controller

 

In access tracker - I see a successful Application auth for my webauth page - but I don't see that successive RADIUS auth that I do on my working test controller.

 

I can't see what I'm missing.   The critical pieces appear to match aaa profiles, roles etc - but obviously I'm missing something.

 

Anything to point me in the right direction and show me what I've overlooked will be appreciated.

 

 

Travis

 

 

 

 

Can you post the access tracker request?

Here is the Application Source access tracker I see - but then is missing the Radius which occurs on the controller this is working on:

Request Details Summary -
Session Identifier: W0000002d-01-53bb2dfd
Date and Time: Jul 07, 2014 16:32:14 PDT
Username: trschick
End-Host Identifier:
Access Device IP/Port: -:-
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT

Policies Used -
Service: ucd-ucdguest Guest Access Web Login
Authentication Method: Not applicable
Authentication Source: UCD LDAP
Authorization Source: UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Roles: [Employee], [User Authenticated]
Enforcement Profiles: [Allow Application Access Profile]
Service Monitor Mode: Disabled

Input Computed Attributes -
Application:ClearPass:Page-Name = UCDLogin
Application:Name = WebLogin
Authentication:Full-Username = trschick
Authentication:Full-Username-Normalized = trschick
Authentication:Source = UCD LDAP
Authentication:Status = User
Authentication:Username = trschick
Authorization:Sources = UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Connection:Protocol = Application
Connection:Src-IP-Address = 127.0.0.1
Date:Date-of-Year = 2014-07-07
Date:Date-Time = 2014-07-07 16:32:13
Date:Day-of-Week = Monday
Date:Time-of-Day = 16:32:13

Alerts -
Error Code: 0
Error Category: Success
Error Message: Success
Alerts for this Request -
WebAuthService: User 'trschick' not present in [Guest User Repository](localhost)

 

A working Request has a similar Application auth:

Request Details Summary -
Session Identifier: W0000002c-01-53bb2dbe
Date and Time: Jul 07, 2014 16:31:10 PDT
Username: trschick
End-Host Identifier:
Access Device IP/Port: -:-
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT

Policies Used -
Service: ucd-ucdguest Guest Access Web Login
Authentication Method: Not applicable
Authentication Source: UCD LDAP
Authorization Source: UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Roles: [Employee], [User Authenticated]
Enforcement Profiles: [Allow Application Access Profile]
Service Monitor Mode: Disabled

Input Computed Attributes -
Application:ClearPass:Page-Name = UCDLogin
Application:Name = WebLogin
Authentication:Full-Username = trschick
Authentication:Full-Username-Normalized = trschick
Authentication:Source = UCD LDAP
Authentication:Status = User
Authentication:Username = trschick
Authorization:Sources = UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Connection:Protocol = Application
Connection:Src-IP-Address = 127.0.0.1
Date:Date-of-Year = 2014-07-07
Date:Date-Time = 2014-07-07 16:31:10
Date:Day-of-Week = Monday
Date:Time-of-Day = 16:31:10

Alerts -
Error Code: 0
Error Category: Success
Error Message: Success
Alerts for this Request -
WebAuthService: User 'trschick' not present in [Guest User Repository](localhost)

 

that is then follwed with a Radius Source item:

Request Details Summary -
Session Identifier: R000002a0-01-53bb2dcb
Date and Time: Jul 07, 2014 16:31:23 PDT
Username: trschick
End-Host Identifier: 647002071CED
Access Device IP/Port: 128.120.5.14:0
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT

Policies Used -
Service: ucd-ucdguest Guest Access
Authentication Method: PAP
Authentication Source: Ldap:ldap.ucdavis.edu
Authorization Source: UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Roles: [Employee], [User Authenticated]
Enforcement Profiles: UCD set UCD-guest role
Service Monitor Mode: Disabled

Input RADIUS Attributes -
Radius:Aruba:Aruba-AP-Group = wls14-test
Radius:Aruba:Aruba-Device-Type = Win Vista
Radius:Aruba:Aruba-Essid-Name = ucd-guest-wls14
Radius:Aruba:Aruba-Location-Id = 00-ap105-test
Radius:IETF:Called-Station-Id = 000B8661F51C
Radius:IETF:Calling-Station-Id = 647002071CED
Radius:IETF:Framed-IP-Address = 128.120.101.74
Radius:IETF:NAS-IP-Address = 128.120.5.14
Radius:IETF:NAS-Port = 0
Radius:IETF:NAS-Port-Type = 19
Radius:IETF:Service-Type = 1
Radius:IETF:User-Name = trschick

Input Computed Attributes -
Authentication:ErrorCode = 0
Authentication:Full-Username = trschick
Authentication:Full-Username-Normalized = trschick
Authentication:MacAuth = NotApplicable
Authentication:OuterMethod = PAP
Authentication:Posture = Unknown
Authentication:Source = UCD LDAP
Authentication:Status = User
Authentication:Username = trschick
Authorization:Sources = UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Connection:AP-Mac =
Connection:Client-Mac-Address = 647002071CED
Connection:Client-Mac-Address-Colon = 64:70:02:07:1c:ed
Connection:Client-Mac-Address-Dot = 6470.0207.1ced
Connection:Client-Mac-Address-Hyphen = 64-70-02-07-1c-ed
Connection:Client-Mac-Address-NoDelim = 647002071ced
Connection:Client-Mac-Vendor = TP-LINK TECHNOLOGIES CO., LTD.
Connection:Dest-IP-Address = 128.120.128.152
Connection:Dest-Port = 1812
Connection:NAD-IP-Address = 128.120.5.14
Connection:Protocol = RADIUS
Connection:Src-IP-Address = 128.120.5.14
Connection:Src-Port = 33890
Connection:SSID = ucd-guest-wls14
Endpoint:Guest Role ID = 2
Endpoint:social_args = {"page_name":"Social_Login","oauth":"facebook","state":"1404401443-a9020c","code":"AQDh6_5WOBH0SE7fSdQh5XF8YvYAl4b5lNiBMLJl1MEXNBdaCHgr5xZTff85r8zdq8X7FxcDB08Wo7n9AzfDGZoqNQYXR-PyvpwKgdeIhKoUflfFHimuaSpsY0DRuJ13Kw4iy45vAQAVUO4CYGWOJRBIVfr6I37IYk95zgqCUUgR0neH83bZJE-BesOAxdeLRS3f1kGpt55yVCWJJp-KtcnKYKh_BYKTHY3yXcZYcWRvPN758xKDEUkNrukx-nYLGwbMnXVBJIBQOPd5leMhyQkPShhpBCiRgF2QPJ6aSwXxElbvxdAgk5gi7j_Ol_V_cyg"}
Endpoint:social_json = {"id":"100000462021539","email":"trschick@gmail.com","first_name":"Travis","gender":"male","last_name":"Schick","link":"https:\\/\\/www.facebook.com\\/travis.schick.7","locale":"en_US","name":"Travis Schick","timezone":-7,"updated_time":"2014-02-17T05:51:46+0000","username":"travis.schick.7","verified":true}
Endpoint:social_method = facebook
Endpoint:social_password = ********  #had overwritten before... but this should make it clear 
Endpoint:social_timestamp = 1404401471
Endpoint:social_username = trschick@gmail.com
Endpoint:social_vip =
Endpoint:Username = trschick

Output RADIUS Attributes -
Radius:Aruba:Aruba-User-Role = UCD-guest

Accounting Details -
Account Session ID: trschick647002071CED-17
Start Timestamp: Jul 07, 2014 16:31:24 PDT
End Timestamp: Jul 07, 2014 18:01:45 PDT
Status: InActive
Termination Cause: Session-Timeout
Service Type:
Number of Authentication Sessions: 1

Network Details -
NAS IP Address: 128.120.5.14:0
NAS Port Type: Wireless-802.11
Calling Station ID: 647002071CED
Called Station ID: 000B8661F51C
Framed IP Address: 128.120.101.74
Account Auth:

Utilization -
Active Time: 5421 secs
Account Delay Time: 0
Account Input Octets: 96414691
Account Output Octets: 47121439
Account Input Packets: 150435
Account Output Packets: 135752

Authentication Session Details -
Session ID: R000002a0-01-53bb2dcb
Type: Start
Date/Time: Jul 07, 2014 16:31:24 PDT

A couple things to check:

 

• On the controller's captive portal profile, check that the correct RADIUS server group is referenced.
• On CPPM, check Monitoring -> Event Viewer.  Two message you might see here.  One is if CPPM is ignoring requests from your controller (NAD device hasn't been added) and the second is if the shared secret is wrong.

You can also test RADIUS authentication on the controller from Diagnostics -> Network -> AAA Test Server.

The correct RADIUS server group is referenced.

 

On the CPPM I'm not getting any errors when I attempt an authentication.... I wish I was!

I have successfully tested Auth from the controller using the Diag test

 

The controllers are part of a common subnet - that has been added to the CPPM

 

From reading I gathered that having a landing page that then links to a login page - can create issues.... its why I need to configure a application auth service... and that the application auth should then be followed by a radius auth in normal operation.... that clearpass is in the background making sure mac address, etc..  is getting passed internally as needed.   Don't recall addressing this on the controller config - but  I'm not clear on the issue.... I'm looking at my aaa profiles and user-roles, but I think I'm missing something that I don't think is related

I am not all that familiar with social media logins yet.  That being said, have you whitelisted facebook on the captive portal login role?

facebook.com

m.facebook.com

fbstatic-a.akamaihd.net

Yes, but for these access attempts I was not using a social media auth.... I'm guessing that just  gets stored in the endpoints db from a previous auth attempt

What authentication method are you using in the service and the layer 3 authentication profile ?

PAP , MSCHAP ?

I have PAP and MSCHAP specified.   Currently allowing local guest accounts (PAP) or using LDAP (MSCHAP hashes)

In that case, a few new things to check.

 

Are you doing Controller-Initiated or Server-Initiated for the Web Login's "Login Method"?  

 

If Controller-Initiated, I assume you are using securelogin.arubanetworks.com as the "Web Address" and "Vendor Default" as the "Secure Login Method".  Does your controller have a different public server certificate where the controller's hostname would be overriden?  To test, connect a PC/MAC to the SSID and try to resolve securelogin.arubnateworks.com.  If it's not your controller, the controller's hostname has been changed with a new certificate.

 

If Server-Initiated, a few questions?

• RFC-3576 configured on the new controller with the correct shared secret?
• Anything in the firewall that might be blocking RFC-3576?  UDP port 3799.

I don't suspect it has anything to do with having an initial landing page that branches off to other CPG pages.  Unless, that landing page isn't hosted by CPG?  CPG retains the controller-passed values betweeen CPG page navigations.

 

You may want to have support do a rundown of your AOS+CP config since there are a lot of small knobs that might be off which would lead to this problem.  I've listed only a few.

---

@rmehra wrote:

In that case, a few new things to check.

 

Are you doing Controller-Initiated or Server-Initiated for the Web Login's "Login Method"?  

---

Controller Initiated 

---

If Controller-Initiated, I assume you are using securelogin.arubanetworks.com as the "Web Address" and "Vendor Default" as the "Secure Login Method".  Does your controller have a different public server certificate where the controller's hostname would be overriden?  To test, connect a PC/MAC to the SSID and try to resolve securelogin.arubnateworks.com.  If it's not your controller, the controller's hostname has been changed with a new certificate.

 ---

Correct,  I have a wildcard cert installed.   securelogin.arubanetworks.com does not resolves, nor does captiveportal.<domain of wildcard>

***correction***

I do get redirected if I use captiveportal-login.<domain of wildcard) - which is the actual name the controller presents when it has a wildcard cert installed.

 

updated the web loging in CPG to use this instead of securelogin.arubanetworks.com.....   so now I get redirected back to the landing page... instead of failing on securelogin.arubanetworks.com on the controllers my config is not working on.... so that is.... better?

*update* it is better.... some underlying ldap bingin failures resulted in failed auth attempt and going back to landing page...

--- 

If Server-Initiated, a few questions?

• RFC-3576 configured on the new controller with the correct shared secret?
• Anything in the firewall that might be blocking RFC-3576?  UDP port 3799.

---

I tried with server initiated... but that didn't work - though it sounds like the option I'd want since I'm using a landing page and having the user browse to the Web Login?

---  

I don't suspect it has anything to do with having an initial landing page that branches off to other CPG pages.  Unless, that landing page isn't hosted by CPG?  CPG retains the controller-passed values betweeen CPG page navigations.

 ---

CPG is hosting the landing page

--- 

You may want to have support do a rundown of your AOS+CP config since there are a lot of small knobs that might be off which would lead to this problem.  I've listed only a few.

--- 

I am following up with support - but also trying to see if there's anything else I can try in the mean time.

---

---

 

"CERTS!!!!"      In the best Khan-esque impression I can muster

 

So my test box was using a old outdated ssl cert for captive portal  (must have restored from an old config a while back - since i had the current certs installed as well)  Never saw this as a problem... since cppm had current cert so the client web browser was always happy....

 

So even though the expired cert was still a wildcard - and even though it was expired.... the process worked

So I then assumed my clearpass config was good and that the trouble was on the controllers I was attempting to configure with the new captive portal....

 

The true problem was the server address on CPG - since I had a wildcard cert I needed to use captiveportal-login NOT securelogin

so not really a cert issue.... but definately weird that outdated certs resulted in a misconfiguration on CPG to work.

 

Thank you rmehra - having me double-check that server address got me thinking on wildcard cert issues and checking