Security

I have configured my Aruba controller (6.1.3.0) guest WLAN to be redirected to my ClearPass (6.0.2) server for captive portal.  I can connect to the guest SSID (CPGuest) - the icon in the toolbar shows that it is connected with Internet access - and I can ping the Internet and the ClearPass server, but when I open a webpage it times out.  The webpage says that it is waiting for a response from the CPPM server (172.20.1.253).

 

When I test the web login page on the ClearPass guest server web login configuration page it works fine.  And I have been through a few of the scant documents I could find with configuration examples, including a video I found that shows how to configure IAP to redirect to ClearPass for guest authentication.  Unfortunately I have not found anything similar that shows the configuration for campus (controller-bassed) APs.

 

Both the controller and the management port for the CPPM (VM) are on VLAN 1 (172.20.0.0/16), which is also my employee VLAN, and the guest network is on VLAN2 (192.168.200.0/24).  I can ping the CPPM server (172.20.1.253) from the guest client and I can ping the guest VLAN interface (192.168.200.1) from the CPPM server.  But I can't get the ClearPass server to display a captive portal/login page for guests.

 

I have the guest captive portal working on the controller, but I want to move it to the ClearPass server.  Any suggestions or references to documentation would be greatly appreciated.

 

Regards,

Here are some things to check:

Are you using only one network interface on the CPPM?

Have you double checked your controller user role to make sure that they are loading the correct captive portal profile?

Does that user role have an ACL that allows http and https access to your ClearPass Guest?

Is the redirect URL the same one that you see when you test the login page in ClearPass Guest?

Thank you for your response.  I have been through the configuration on my controller and my CPPM server many times.  The browser looks like it is getting redirected to the CPPM server address, but I am not getting any messages in my access tracker, so I have no leads to go on.  Below are my responses to your suggestions:

 

Are you using only one network interface on the CPPM? Yes, one interface (mgt.)

Have you double checked your controller user role to make sure that they are loading the correct captive portal profile? Yes, my CPGuest_logon role, which is the initial role in my AAA profile (CPGuest_aaa_prof), calls my CPGuest_cp captive portal role.

Does that user role have an ACL that allows http and https access to your ClearPass Guest?  Yes, I have tried allowing http and https access from user to the clearpass server IP, and from the guest subnet to the clearpass server IP.

Is the redirect URL the same one that you see when you test the login page in ClearPass Guest?  Yes, I have copied and pasted it from the clearpass test page to the controller verbatim.

 

In the AAA profile that sets the initial role (CPGuest_aaa_prof), I have both the 802.1X Authentication Server Group and Accounting Server Group set to the ClearPass server.  And I have "Guest login" selected in the L3 Authentication - Captive Portal Authentication Profile that I am using.

Are you using http or https?. cppm IP adress or FQDN? 

In my CP Auth Profile I am using https://172.20.1.253/guest/guest_logon.php.

To rule out any browser/certificate issues, can you try changing the redirect to http in the captive portal profile and disable "require https for guest access" inside of Guest under Configuration->Authentication?

Can you ping CPPM when you are connected to the guest role or just browse to the  https://172.20.1.253/tips? You will most likely run into issue if you are using IP vs FQDN using https. i would recomend to turn off https on the controller and CPPM

 

Make sure you have https disabled in the CPGuest under  "Home » Configuration » Authentication"

 

 

 

 

in the guest page disable NAS https "Home » Configuration » Guest Self-Registration"

 

 

and in the controller

 

I disabled https everywhere and I cleared my browser cache in IE, but still no love.  I also tried Firefox and Chrome browsers, but nothing.  When i try to browse, IE and Firefox show a message in the bottom left corner of the browser that says Connecting to 172.20.1.253..., Chrome just says Sending Request.  Below are some screen shots of my controller config:

 

 

 

I changed the default role to guest in this profile.

 

Please run the following for the role your client is in:

 

show rights <nameofrole>

 

Also, please show the following for the Captive Portal profile listed above:

 

show aaa authentication captive-portal <nameofcaptiveportalprofile>

 

 

See below:

 

(CNI_A620) # _ _show rights CPGuest-logon

 

Derived Role = 'CPGuest-logon'

 Up BW contract = Guest_BW_Contract (5000000 bits/sec)   Down BW contract = Guest_BW_Contract (5000000 bits/sec) 

 L2TP Pool = default-l2tp-pool

 PPTP Pool = default-pptp-pool

 Periodic reauthentication: Disabled

 ACL Number = 58/0

 Max Sessions = 65535

 

 Captive Portal profile = CPGuest_cp

 

access-list List

----------------

Position  Name           Location

--------  ----           --------

1         CPG-web-ACL   

2         logon-control 

3         captiveportal 

 

CPG-web-ACL

-----------

Priority  Source                       Destination   Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

--------  ------                       -----------   -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

1         192.168.200.0 255.255.255.0  172.20.1.253  svc-https  permit                           Low                                                           4

2         192.168.200.0 255.255.255.0  172.20.1.253  svc-http   permit                           Low                                                           4

logon-control

-------------

Priority  Source  Destination  Service   Action  TimeRange      Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

--------  ------  -----------  -------   ------  ---------      ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

1         user    any          udp 68    deny    Working_Hours                Low                                                           4

2         any     any          svc-icmp  permit  Working_Hours                Low                                                           4

3         any     any          svc-dns   permit  Working_Hours                Low                                                           4

4         any     any          svc-dhcp  permit  Working_Hours                Low                                                           4

5         any     any          svc-natt  permit  Working_Hours                Low                                                           4

captiveportal

-------------

Priority  Source  Destination   Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

--------  ------  -----------   -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

1         user    172.20.1.253  any              permit                                 Low                                                           4

2         user    172.20.1.253  svc-http         permit                                 Low                                                           4

3         user    172.20.1.253  svc-https        permit                                 Low                                                           4

4         user    any           svc-http         dst-nat 8080                           Low                                                           4

5         user    any           svc-https        dst-nat 8081                           Low                                                           4

6         user    any           svc-http-proxy1  dst-nat 8088                           Low                                                           4

7         user    any           svc-http-proxy2  dst-nat 8088                           Low                                                           4

8         user    any           svc-http-proxy3  dst-nat 8088                           Low                                                           4

 

Expired Policies (due to time constraints) = 0

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

(CNI_A620) #show aaa authenticationcaptive-portal CPGuest_cp_ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ _ cpative _ __ __ __ __ __ __ _aptive-portal CPGuest_cp

 

Captive Portal Authentication Profile "CPGuest_cp"

--------------------------------------------------

Parameter                                     Value

---------                                     -----

Default Role                                  CPGuest-logon

Default Guest Role                            guest

Server Group                                  Clearpass

Redirect Pause                                2 sec

User Login                                    Disabled

Guest Login                                   Enabled

Logout popup window                           Disabled

Use HTTP for authentication                   Disabled

Logon wait minimum wait                       5 sec

Logon wait maximum wait                       10 sec

logon wait CPU utilization threshold          60 %

Show FQDN                                     Disabled

Use CHAP (non-standard)                       Disabled

Login page                                    https://172.20.1.253/guest/guest_logon.php

Welcome page                                  http://www.corpnetworking.com

Show Welcome Page                             Yes

Add switch IP address in the redirection URL  Disabled

Allow only one active user session            Disabled

White List                                    N/A

Black List                                    N/A

Show the acceptable use policy page           Disabled

 

(CNI_A620) #

EDIT:

 

Looks like you have this in your captive portal ACL listed below the CPG-web-ACL.....so please disregard.

 

Please try to change the source of your CPG-web-ACL to "user" rather than 192.168.200.0 255.255.255.0

 

Also, try and enable HTTP authentication in the CP profile and in your guest logon page to rule our certificate/OCSP issues. 

Unrelated, you'll want to change your "Default Role" within your captive portal profile to another role.  You have it set at your logon role; you want it to be a post logon role.

When a guest client connects and requests the login page, is the source address of the request from the guest IP, or the controller IP?

Two documents that should help you along your way here:

• Amigopod-AOS-Integration-AppNote.pdf
• Aruba Wireless and ClearPass 6 Integration Guide v1.3.pdf

 

 

If you have activated Source NAT on the guest VLAN then the Controller IP is the source IP. Read more about this in the amigopod integration appnote - which is quite good and detailed.

 

Default Role of Captive Profile shouldn't be -logon role, but the role you want to place it in once authenticated. Usually just some variation of "guest".

 

And now just some random might help things ;)

------------

 

You are doing User login, not Guest login when implementing Clearpass.

 

Assuming that Controller is DHCP and default gateway for the Guest Clients.

 

Assuming you have followed Tarnolds advice to the letter and configured for http on all four places.

 

You haven't reached the Radius part yet - that is first triggered after you register and login through the CP-Guest webpage, so no point trouble shooting that yet. You won't see guest web/http traffic listed in the Access Tracker.

 

The traffic flow between your client and the CPPM is distrupted for some reason. Might be return traffic that is blocked or not routed correctly. Does the CPPM default gateway have a route back to the client subnet? If you can ping it from the client then it should be OK, but still...

 

DNS lookup seems to be working cause if it didn't your browser wouldn't try to load the CPPM IP.

 

What type of client are you testing from?

Your client is redirected from the 192.168 network to the 172.20 network and not all clients like that. If Windows please turn off Windows Firewall to see if that's preventing the return traffic from Clearpass. 

 

 

Just a quick update----

 

The vlan was missing from the guest role.

Troy is correct.  I was missing the VLAN designation in the CPGuest-logon role.

Thanks for the update; but I am curious why/how that resolved the issue.   You said you could ping CPPM; but could not get there by web; which would imply you had an IP address....was that not the case; or was the user on the wrong VLAN?   Did you have a VLAN designated in the virtual AP?    

 

 

 

 

That is what had me confused: I could ping the CP server and I could ping the Internet, I could resolve DNS names, and I was being redirected to the CP server, but I couldn't get the Guest login page to display.  The problem was that I hadn't assigned the logon role to the proper VLAN, or any VLAN for that matter.  Once I assigned the VLAN to the logon role, the login page displayed.

Well, if it works, it works!     For reference, if you have a VLAN or VLAN pool defined in the virtual AP, you do not need to define one within the role; the client would default to the vlan defined in the virtual AP.    The one in the User Role will override the default in the Virtual AP.

 

This configuration was actually on a controller (Campus APs), not IAP.

Yes, I am aware; my statement still applies.    

I am facing the same Problem at the moment. I set up  Controllers with guest SSID, Captive Portal Profile and , CPPM-Guest-Logon Profile but i don not get the login page.

 

difference is that i have 2 NICs configured in CPPM, and when I test my page under

sorry for double post, but even with only one interface it is not working. i get a http 404 and  after that a redirection to the clearpath admin interface is shown. :(

You need to double check the redirect access. If you are using http instead of https you need to make sure you checkmark in both CPPM and the controller to use http.

I had to change from data + mgmt interface to mgmt only interface.

Did not get it to work with radius, ntp, ad traffic on the mgmt and the captive portal on the data.

As of 6.3 all features are available on on ports (radius, https, gui, etc) except OnGuard and cluster sync. Most likely there was a routing issue.