Security

Reply
Contributor II
Posts: 90
Registered: ‎12-06-2014

clearpass redirection time out

I've setup an external captive portal redirect to a web logon page using https://ase.arubanetworks.com/solutions/id/3

 

I imported the setting just fine. I get dhcp, dns all fine. But when the redirect kick in, it returns a message stating that clearpass took to long to reply and times out. 

 

Iders? 

Contributor II
Posts: 90
Registered: ‎12-06-2014

Re: clearpass redirection time out

Guys, here is the config I created: 

 

#Create SSID profile

wlan ssid-profile "tpl-Mountcom_guest_access"

  essid "Mountcom_guest_access"

  opmode opensystem

  exit

 

aaa authentication-server radius "tpl-Mountcom_guest_access"

  host "10.17.2.30"

  key "aruba123"

  !

 

aaa rfc-3576-server "10.17.2.30"

  key "aruba123"

  !

 

aaa server-group "tpl-Mountcom_guest_access"

  auth-server "tpl-Mountcom_guest_access"

  !

 

aaa profile "tpl-Mountcom_guest_access"

  radius-accounting "tpl-Mountcom_guest_access"

  rfc-3576-server "10.17.2.30"

  !

 

#Create an ACL that allows the unauthenticated guest to reach the external captive portal page.

netdestination "tpl-Mountcom_guest_access-allow-external-captive-portal"

  no invert

  host 10.17.2.30

  exit

 

ip access-list session "tpl-Mountcom_guest_access-allow-external-captive-portal"

  user alias "tpl-Mountcom_guest_access-allow-external-captive-portal" svc-http  permit

  user alias "tpl-Mountcom_guest_access-allow-external-captive-portal" svc-https  permit

  exit

 

#BEGIN - Create ACL's for the unauthenticated guest before they log in on the captive portal.  These provide basic network access and cause the captive portal redirect.

ip access-list session "tpl-Mountcom_guest_access-cplogout"

  user   alias controller svc-https  dst-nat 8081

  exit

 

#Allow basic network access such as DNS and DCHP but deny the user from acting as a DHCP server.

ip access-list session "tpl-Mountcom_guest_access-logon-control"

  user any udp 68 deny

  ipv6 user any icmpv6 rtr-adv deny

  any any svc-icmp permit

  any any svc-dns permit

  any any svc-dhcp permit

  any any svc-natt permit

  exit

 

ip access-list session "tpl-Mountcom_guest_access-captiveportal"

  user alias controller svc-https dst-nat 8081

  user any svc-http dst-nat 8080

  user any svc-https dst-nat 8081

  user any svc-http-proxy1 dst-nat 8088

  user any svc-http-proxy2 dst-nat 8088

  user any svc-http-proxy3 dst-nat 8088

  exit

#END - Create ACL's for the client before they log in on the captive portal.  These provide basic network access and cause the captive portal redirect.

 

#Create a logon user role with the ACL restrictions.

user-role "tpl-Mountcom_guest_access-logon"

  access-list session "tpl-Mountcom_guest_access-allow-external-captive-portal"

  access-list session "tpl-Mountcom_guest_access-logon-control"

  access-list session "tpl-Mountcom_guest_access-captiveportal"

  exit

 

#BEGIN - Create ACL's to restrict authenticated guest user from accessing internal networks.  Only allow HTTP/HTTPS access to public sites.

netdestination "tpl-Mountcom_guest_access-internal-net"

  network 10.0.0.0 255.0.0.0

  network 172.16.0.0 255.240.0.0

  network 192.168.0.0 255.255.0.0

  exit

 

ip access-list session "tpl-Mountcom_guest_access-block"

  user alias "tpl-Mountcom_guest_access-internal-net" any deny

  exit

 

ip access-list session "tpl-Mountcom_guest_access-authenticated"

  any any svc-http permit

  any any svc-https permit

  exit

 

ip access-list session "tpl-Mountcom_guest_access-drop-all"

  user any any deny log

  exit

#END - Create ACL's to restrict authenticated guest user from accessing internal networks.  Only allow HTTP/HTTPS access to public sites.

 

#Create a post authenticated user role that has limited network access.

user-role "tpl-Mountcom_guest_access"

  access-list session "tpl-Mountcom_guest_access-cplogout"

  access-list session "tpl-Mountcom_guest_access-logon-control"

  access-list session "tpl-Mountcom_guest_access-block"

  access-list session "tpl-Mountcom_guest_access-authenticated"

  access-list session "tpl-Mountcom_guest_access-drop-all"

  exit

 

aaa authentication captive-portal "tpl-Mountcom_guest_access"

  login-page "https://10.17.2.30/guest/weblogin.php/3?_browser=1"

  welcome-page "/auth/welcome.html"

  no guest-logon

  no logout-popup-window

  redirect-pause 3

  server-group "tpl-Mountcom_guest_access"

  default-role "tpl-Mountcom_guest_access"

  exit

 

aaa authentication mac "tpl-Mountcom_guest_access"

  exit

 

#Attach the captive portal profile to the logon user role

user-role "tpl-Mountcom_guest_access-logon"

  captive-portal "tpl-Mountcom_guest_access"

  exit

 

aaa profile "tpl-Mountcom_guest_access"

#Set the initial user role to the logon user role that enabled captive portal.

  initial-role "tpl-Mountcom_guest_access-logon"

#Apply the MAC authentication profile to support MAC caching.  Successfully authenticated MAC addresses will bypass the captive portal login and get immediate access.

  authentication-mac "tpl-Mountcom_guest_access"

  mac-server-group "tpl-Mountcom_guest_access"

  mac-default-role "tpl-Mountcom_guest_access"

  exit

 

#Create VLAN and VLAN Properties.

vlan 230

 

interface vlan 230

  ip address 10.230.0.31 255.255.252.0

#DHCP Helper is used for Policy Manager "Profile" feature

  ip helper-address "10.17.2.30"

  exit

 

#Create DHCP Pool

ip dhcp pool "tpl-Mountcom_guest_access"

  default-router 10.230.0.31

  dns-server 8.8.8.8 8.8.4.4

  network 10.230.0.0 255.255.252.0

  domain-name Mountcom.com

  exit

 

#Enable DHCP service

service dhcp

 

wlan virtual-ap "tpl-Mountcom_guest_access"

  aaa-profile "tpl-Mountcom_guest_access"

  ssid-profile "tpl-Mountcom_guest_access"

  vlan 230

  exit

 

ap-group "FirstFL_Basement"

  virtual-ap "tpl-Mountcom_guest_access"

  exit

 

end

Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: clearpass redirection time out

The address should end with .php. Is there a reason why you have the rest? Also for testing its best to disable https on both the controller and clearpass. Make sure you also remove it from the redirect address.

 

 

 

aaa authentication captive-portal "tpl-Mountcom_guest_access"

  login-page "https://10.17.2.30/guest/weblogin.php/3?_browser=1"

  welcome-page "/auth/welcome.html"

  no guest-logon

  no logout-popup-window

  redirect-pause 3

  server-group "tpl-Mountcom_guest_access"

  default-role "tpl-Mountcom_guest_access"

  exit

 

 

Screen Shot 2014-12-09 at 6.53.18 PM.png

 

Screen Shot 2014-12-09 at 6.53.47 PM.png

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: