Security

Reply
Contributor II
Posts: 51
Registered: ‎04-13-2009

clearpass guest wih captive portal

I have configured my Aruba controller (6.1.3.0) guest WLAN to be redirected to my ClearPass (6.0.2) server for captive portal.  I can connect to the guest SSID (CPGuest) - the icon in the toolbar shows that it is connected with Internet access - and I can ping the Internet and the ClearPass server, but when I open a webpage it times out.  The webpage says that it is waiting for a response from the CPPM server (172.20.1.253).

 

When I test the web login page on the ClearPass guest server web login configuration page it works fine.  And I have been through a few of the scant documents I could find with configuration examples, including a video I found that shows how to configure IAP to redirect to ClearPass for guest authentication.  Unfortunately I have not found anything similar that shows the configuration for campus (controller-bassed) APs.

 

Both the controller and the management port for the CPPM (VM) are on VLAN 1 (172.20.0.0/16), which is also my employee VLAN, and the guest network is on VLAN2 (192.168.200.0/24).  I can ping the CPPM server (172.20.1.253) from the guest client and I can ping the guest VLAN interface (192.168.200.1) from the CPPM server.  But I can't get the ClearPass server to display a captive portal/login page for guests.

 

I have the guest captive portal working on the controller, but I want to move it to the ClearPass server.  Any suggestions or references to documentation would be greatly appreciated.

 

Regards,

Regards,
DAK
Aruba Employee
Posts: 37
Registered: ‎11-04-2011

Re: clearpass guest wih captive portal

Here are some things to check:

Are you using only one network interface on the CPPM?

Have you double checked your controller user role to make sure that they are loading the correct captive portal profile?

Does that user role have an ACL that allows http and https access to your ClearPass Guest?

Is the redirect URL the same one that you see when you test the login page in ClearPass Guest?

Aruba
Posts: 1,641
Registered: ‎04-13-2009

Re: clearpass guest wih captive portal

Please run the following for the role your client is in:

 

show rights <nameofrole>

 

Also, please show the following for the Captive Portal profile listed above:

 

show aaa authentication captive-portal <nameofcaptiveportalprofile>

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor II
Posts: 51
Registered: ‎04-13-2009

Re: clearpass guest wih captive portal

Thank you for your response.  I have been through the configuration on my controller and my CPPM server many times.  The browser looks like it is getting redirected to the CPPM server address, but I am not getting any messages in my access tracker, so I have no leads to go on.  Below are my responses to your suggestions:

 

Are you using only one network interface on the CPPM? Yes, one interface (mgt.)

Have you double checked your controller user role to make sure that they are loading the correct captive portal profile? Yes, my CPGuest_logon role, which is the initial role in my AAA profile (CPGuest_aaa_prof), calls my CPGuest_cp captive portal role.

Does that user role have an ACL that allows http and https access to your ClearPass Guest?  Yes, I have tried allowing http and https access from user to the clearpass server IP, and from the guest subnet to the clearpass server IP.

Is the redirect URL the same one that you see when you test the login page in ClearPass Guest?  Yes, I have copied and pasted it from the clearpass test page to the controller verbatim.

 

In the AAA profile that sets the initial role (CPGuest_aaa_prof), I have both the 802.1X Authentication Server Group and Accounting Server Group set to the ClearPass server.  And I have "Guest login" selected in the L3 Authentication - Captive Portal Authentication Profile that I am using.

Regards,
DAK
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: clearpass guest wih captive portal

[ Edited ]

Are you using http or https?. cppm IP adress or FQDN? 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 51
Registered: ‎04-13-2009

Re: clearpass guest wih captive portal

In my CP Auth Profile I am using https://172.20.1.253/guest/guest_logon.php.

Regards,
DAK
Contributor II
Posts: 51
Registered: ‎04-13-2009

Re: clearpass guest wih captive portal

See below:

 

(CNI_A620) # _ _show rights CPGuest-logon

 

Derived Role = 'CPGuest-logon'

 Up BW contract = Guest_BW_Contract (5000000 bits/sec)   Down BW contract = Guest_BW_Contract (5000000 bits/sec) 

 L2TP Pool = default-l2tp-pool

 PPTP Pool = default-pptp-pool

 Periodic reauthentication: Disabled

 ACL Number = 58/0

 Max Sessions = 65535

 

 Captive Portal profile = CPGuest_cp

 

access-list List

----------------

Position  Name           Location

--------  ----           --------

1         CPG-web-ACL   

2         logon-control 

3         captiveportal 

 

CPG-web-ACL

-----------

Priority  Source                       Destination   Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

--------  ------                       -----------   -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

1         192.168.200.0 255.255.255.0  172.20.1.253  svc-https  permit                           Low                                                           4

2         192.168.200.0 255.255.255.0  172.20.1.253  svc-http   permit                           Low                                                           4

logon-control

-------------

Priority  Source  Destination  Service   Action  TimeRange      Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

--------  ------  -----------  -------   ------  ---------      ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

1         user    any          udp 68    deny    Working_Hours                Low                                                           4

2         any     any          svc-icmp  permit  Working_Hours                Low                                                           4

3         any     any          svc-dns   permit  Working_Hours                Low                                                           4

4         any     any          svc-dhcp  permit  Working_Hours                Low                                                           4

5         any     any          svc-natt  permit  Working_Hours                Low                                                           4

captiveportal

-------------

Priority  Source  Destination   Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6

--------  ------  -----------   -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------

1         user    172.20.1.253  any              permit                                 Low                                                           4

2         user    172.20.1.253  svc-http         permit                                 Low                                                           4

3         user    172.20.1.253  svc-https        permit                                 Low                                                           4

4         user    any           svc-http         dst-nat 8080                           Low                                                           4

5         user    any           svc-https        dst-nat 8081                           Low                                                           4

6         user    any           svc-http-proxy1  dst-nat 8088                           Low                                                           4

7         user    any           svc-http-proxy2  dst-nat 8088                           Low                                                           4

8         user    any           svc-http-proxy3  dst-nat 8088                           Low                                                           4

 

Expired Policies (due to time constraints) = 0

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

(CNI_A620) #show aaa authenticationcaptive-portal CPGuest_cp_ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ __ _ cpative _ __ __ __ __ __ __ _aptive-portal CPGuest_cp

 

Captive Portal Authentication Profile "CPGuest_cp"

--------------------------------------------------

Parameter                                     Value

---------                                     -----

Default Role                                  CPGuest-logon

Default Guest Role                            guest

Server Group                                  Clearpass

Redirect Pause                                2 sec

User Login                                    Disabled

Guest Login                                   Enabled

Logout popup window                           Disabled

Use HTTP for authentication                   Disabled

Logon wait minimum wait                       5 sec

Logon wait maximum wait                       10 sec

logon wait CPU utilization threshold          60 %

Show FQDN                                     Disabled

Use CHAP (non-standard)                       Disabled

Login page                                    https://172.20.1.253/guest/guest_logon.php

Welcome page                                  http://www.corpnetworking.com

Show Welcome Page                             Yes

Add switch IP address in the redirection URL  Disabled

Allow only one active user session            Disabled

White List                                    N/A

Black List                                    N/A

Show the acceptable use policy page           Disabled

 

(CNI_A620) #

Regards,
DAK
Aruba Employee
Posts: 37
Registered: ‎11-04-2011

Re: clearpass guest wih captive portal

To rule out any browser/certificate issues, can you try changing the redirect to http in the captive portal profile and disable "require https for guest access" inside of Guest under Configuration->Authentication?

Aruba
Posts: 1,641
Registered: ‎04-13-2009

Re: clearpass guest wih captive portal

[ Edited ]

EDIT:

 

Looks like you have this in your captive portal ACL listed below the CPG-web-ACL.....so please disregard.

 

Please try to change the source of your CPG-web-ACL to "user" rather than 192.168.200.0 255.255.255.0

 

Also, try and enable HTTP authentication in the CP profile and in your guest logon page to rule our certificate/OCSP issues. 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: clearpass guest wih captive portal

Can you ping CPPM when you are connected to the guest role or just browse to the  https://172.20.1.253/tips? You will most likely run into issue if you are using IP vs FQDN using https. i would recomend to turn off https on the controller and CPPM

 

Make sure you have https disabled in the CPGuest under  "Home » Configuration » Authentication"

 

httpsguest1.png

 

 

 

in the guest page disable NAS https "Home » Configuration » Guest Self-Registration"

 

httpsguest2.png

 

and in the controller

 

controllerhttps.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: