Security

Reply
Frequent Contributor I
Posts: 92
Registered: ‎04-09-2007

Trouble with clearpass webauth...

Setting up a open-ssid to captive portal to a landing page. 

The landing page has links for guest self-registration, for existing guest/campus users to authenticate

 

I had this working a while ago on a previous cppm version - wating for summer to deply

 

Appears Clearpass 6.3 changed things....  rebuilt my clearpass config using ASE tool

I have it working on my test controller - then I when to copy user-roles - aaa profiles and acl's to another controller....I have problems.

 

 I get redirected to landing page - can follow links.  Auth screen comes up I can auth/self-register - but I'm not getting redirected to the specified page after login or put into the appropriate group on the controller

 

In access tracker - I see a successful Application auth for my webauth page - but I don't see that successive RADIUS auth that I do on my working test controller.

 

I can't see what I'm missing.   The critical pieces appear to match aaa profiles, roles etc - but obviously I'm missing something.

 

Anything to point me in the right direction and show me what I've overlooked will be appreciated.

 

 

Travis

 

 

 

 

Guru Elite
Posts: 8,175
Registered: ‎09-08-2010

Re: Trouble with clearpass webauth...

Can you post the access tracker request?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Aruba Employee
Posts: 30
Registered: ‎07-12-2010

Re: Trouble with clearpass webauth...

A couple things to check:

 

  • On the controller's captive portal profile, check that the correct RADIUS server group is referenced.
  • On CPPM, check Monitoring -> Event Viewer.  Two message you might see here.  One is if CPPM is ignoring requests from your controller (NAD device hasn't been added) and the second is if the shared secret is wrong.

You can also test RADIUS authentication on the controller from Diagnostics -> Network -> AAA Test Server.

Frequent Contributor I
Posts: 92
Registered: ‎04-09-2007

Re: Trouble with clearpass webauth...

[ Edited ]

Here is the Application Source access tracker I see - but then is missing the Radius which occurs on the controller this is working on:


Request Details Summary -
Session Identifier: W0000002d-01-53bb2dfd
Date and Time: Jul 07, 2014 16:32:14 PDT
Username: trschick
End-Host Identifier:
Access Device IP/Port: -:-
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT

Policies Used -
Service: ucd-ucdguest Guest Access Web Login
Authentication Method: Not applicable
Authentication Source: UCD LDAP
Authorization Source: UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Roles: [Employee], [User Authenticated]
Enforcement Profiles: [Allow Application Access Profile]
Service Monitor Mode: Disabled

Input Computed Attributes -
Application:ClearPass:Page-Name = UCDLogin
Application:Name = WebLogin
Authentication:Full-Username = trschick
Authentication:Full-Username-Normalized = trschick
Authentication:Source = UCD LDAP
Authentication:Status = User
Authentication:Username = trschick
Authorization:Sources = UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Connection:Protocol = Application
Connection:Src-IP-Address = 127.0.0.1
Date:Date-of-Year = 2014-07-07
Date:Date-Time = 2014-07-07 16:32:13
Date:Day-of-Week = Monday
Date:Time-of-Day = 16:32:13

Alerts -
Error Code: 0
Error Category: Success
Error Message: Success
Alerts for this Request -
WebAuthService: User 'trschick' not present in [Guest User Repository](localhost)

 

A working Request has a similar Application auth:


Request Details Summary -
Session Identifier: W0000002c-01-53bb2dbe
Date and Time: Jul 07, 2014 16:31:10 PDT
Username: trschick
End-Host Identifier:
Access Device IP/Port: -:-
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT

Policies Used -
Service: ucd-ucdguest Guest Access Web Login
Authentication Method: Not applicable
Authentication Source: UCD LDAP
Authorization Source: UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Roles: [Employee], [User Authenticated]
Enforcement Profiles: [Allow Application Access Profile]
Service Monitor Mode: Disabled

Input Computed Attributes -
Application:ClearPass:Page-Name = UCDLogin
Application:Name = WebLogin
Authentication:Full-Username = trschick
Authentication:Full-Username-Normalized = trschick
Authentication:Source = UCD LDAP
Authentication:Status = User
Authentication:Username = trschick
Authorization:Sources = UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Connection:Protocol = Application
Connection:Src-IP-Address = 127.0.0.1
Date:Date-of-Year = 2014-07-07
Date:Date-Time = 2014-07-07 16:31:10
Date:Day-of-Week = Monday
Date:Time-of-Day = 16:31:10

Alerts -
Error Code: 0
Error Category: Success
Error Message: Success
Alerts for this Request -
WebAuthService: User 'trschick' not present in [Guest User Repository](localhost)

 

that is then follwed with a Radius Source item:


Request Details Summary -
Session Identifier: R000002a0-01-53bb2dcb
Date and Time: Jul 07, 2014 16:31:23 PDT
Username: trschick
End-Host Identifier: 647002071CED
Access Device IP/Port: 128.120.5.14:0
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT

Policies Used -
Service: ucd-ucdguest Guest Access
Authentication Method: PAP
Authentication Source: Ldap:ldap.ucdavis.edu
Authorization Source: UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Roles: [Employee], [User Authenticated]
Enforcement Profiles: UCD set UCD-guest role
Service Monitor Mode: Disabled

Input RADIUS Attributes -
Radius:Aruba:Aruba-AP-Group = wls14-test
Radius:Aruba:Aruba-Device-Type = Win Vista
Radius:Aruba:Aruba-Essid-Name = ucd-guest-wls14
Radius:Aruba:Aruba-Location-Id = 00-ap105-test
Radius:IETF:Called-Station-Id = 000B8661F51C
Radius:IETF:Calling-Station-Id = 647002071CED
Radius:IETF:Framed-IP-Address = 128.120.101.74
Radius:IETF:NAS-IP-Address = 128.120.5.14
Radius:IETF:NAS-Port = 0
Radius:IETF:NAS-Port-Type = 19
Radius:IETF:Service-Type = 1
Radius:IETF:User-Name = trschick

Input Computed Attributes -
Authentication:ErrorCode = 0
Authentication:Full-Username = trschick
Authentication:Full-Username-Normalized = trschick
Authentication:MacAuth = NotApplicable
Authentication:OuterMethod = PAP
Authentication:Posture = Unknown
Authentication:Source = UCD LDAP
Authentication:Status = User
Authentication:Username = trschick
Authorization:Sources = UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
Connection:AP-Mac =
Connection:Client-Mac-Address = 647002071CED
Connection:Client-Mac-Address-Colon = 64:70:02:07:1c:ed
Connection:Client-Mac-Address-Dot = 6470.0207.1ced
Connection:Client-Mac-Address-Hyphen = 64-70-02-07-1c-ed
Connection:Client-Mac-Address-NoDelim = 647002071ced
Connection:Client-Mac-Vendor = TP-LINK TECHNOLOGIES CO., LTD.
Connection:Dest-IP-Address = 128.120.128.152
Connection:Dest-Port = 1812
Connection:NAD-IP-Address = 128.120.5.14
Connection:Protocol = RADIUS
Connection:Src-IP-Address = 128.120.5.14
Connection:Src-Port = 33890
Connection:SSID = ucd-guest-wls14
Endpoint:Guest Role ID = 2
Endpoint:social_args = {"page_name":"Social_Login","oauth":"facebook","state":"1404401443-a9020c","code":"AQDh6_5WOBH0SE7fSdQh5XF8YvYAl4b5lNiBMLJl1MEXNBdaCHgr5xZTff85r8zdq8X7FxcDB08Wo7n9AzfDGZoqNQYXR-PyvpwKgdeIhKoUflfFHimuaSpsY0DRuJ13Kw4iy45vAQAVUO4CYGWOJRBIVfr6I37IYk95zgqCUUgR0neH83bZJE-BesOAxdeLRS3f1kGpt55yVCWJJp-KtcnKYKh_BYKTHY3yXcZYcWRvPN758xKDEUkNrukx-nYLGwbMnXVBJIBQOPd5leMhyQkPShhpBCiRgF2QPJ6aSwXxElbvxdAgk5gi7j_Ol_V_cyg"}
Endpoint:social_json = {"id":"100000462021539","email":"trschick@gmail.com","first_name":"Travis","gender":"male","last_name":"Schick","link":"https:\\/\\/www.facebook.com\\/travis.schick.7","locale":"en_US","name":"Travis Schick","timezone":-7,"updated_time":"2014-02-17T05:51:46+0000","username":"travis.schick.7","verified":true}
Endpoint:social_method = facebook
Endpoint:social_password = ********  #had overwritten before... but this should make it clear 
Endpoint:social_timestamp = 1404401471
Endpoint:social_username = trschick@gmail.com
Endpoint:social_vip =
Endpoint:Username = trschick

Output RADIUS Attributes -
Radius:Aruba:Aruba-User-Role = UCD-guest

Accounting Details -
Account Session ID: trschick647002071CED-17
Start Timestamp: Jul 07, 2014 16:31:24 PDT
End Timestamp: Jul 07, 2014 18:01:45 PDT
Status: InActive
Termination Cause: Session-Timeout
Service Type:
Number of Authentication Sessions: 1

Network Details -
NAS IP Address: 128.120.5.14:0
NAS Port Type: Wireless-802.11
Calling Station ID: 647002071CED
Called Station ID: 000B8661F51C
Framed IP Address: 128.120.101.74
Account Auth:

Utilization -
Active Time: 5421 secs
Account Delay Time: 0
Account Input Octets: 96414691
Account Output Octets: 47121439
Account Input Packets: 150435
Account Output Packets: 135752

Authentication Session Details -
Session ID: R000002a0-01-53bb2dcb
Type: Start
Date/Time: Jul 07, 2014 16:31:24 PDT

Frequent Contributor I
Posts: 92
Registered: ‎04-09-2007

Re: Trouble with clearpass webauth...

The correct RADIUS server group is referenced.

 

On the CPPM I'm not getting any errors when I attempt an authentication.... I wish I was!

I have successfully tested Auth from the controller using the Diag test

 

The controllers are part of a common subnet - that has been added to the CPPM

 

From reading I gathered that having a landing page that then links to a login page - can create issues.... its why I need to configure a application auth service... and that the application auth should then be followed by a radius auth in normal operation.... that clearpass is in the background making sure mac address, etc..  is getting passed internally as needed.   Don't recall addressing this on the controller config - but  I'm not clear on the issue.... I'm looking at my aaa profiles and user-roles, but I think I'm missing something that I don't think is related

Aruba Employee
Posts: 30
Registered: ‎07-12-2010

Re: Trouble with clearpass webauth...

I am not all that familiar with social media logins yet.  That being said, have you whitelisted facebook on the captive portal login role?

facebook.com

m.facebook.com

fbstatic-a.akamaihd.net

Frequent Contributor I
Posts: 92
Registered: ‎04-09-2007

Re: Trouble with clearpass webauth...

Yes, but for these access attempts I was not using a social media auth.... I'm guessing that just  gets stored in the endpoints db from a previous auth attempt

MVP
Posts: 4,168
Registered: ‎07-20-2011

Re: Trouble with clearpass webauth...

What authentication method are you using in the service and the layer 3 authentication profile ?

PAP , MSCHAP ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba Employee
Posts: 30
Registered: ‎07-12-2010

Re: Trouble with clearpass webauth...

In that case, a few new things to check.

 

Are you doing Controller-Initiated or Server-Initiated for the Web Login's "Login Method"?  

 

If Controller-Initiated, I assume you are using securelogin.arubanetworks.com as the "Web Address" and "Vendor Default" as the "Secure Login Method".  Does your controller have a different public server certificate where the controller's hostname would be overriden?  To test, connect a PC/MAC to the SSID and try to resolve securelogin.arubnateworks.com.  If it's not your controller, the controller's hostname has been changed with a new certificate.

 

If Server-Initiated, a few questions?

  • RFC-3576 configured on the new controller with the correct shared secret?
  • Anything in the firewall that might be blocking RFC-3576?  UDP port 3799.

I don't suspect it has anything to do with having an initial landing page that branches off to other CPG pages.  Unless, that landing page isn't hosted by CPG?  CPG retains the controller-passed values betweeen CPG page navigations.

 

You may want to have support do a rundown of your AOS+CP config since there are a lot of small knobs that might be off which would lead to this problem.  I've listed only a few.

Frequent Contributor I
Posts: 92
Registered: ‎04-09-2007

Re: Trouble with clearpass webauth...

I have PAP and MSCHAP specified.   Currently allowing local guest accounts (PAP) or using LDAP (MSCHAP hashes)

Search Airheads
Showing results for 
Search instead for 
Did you mean: