Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

redirect problem with radius auth

This thread has been viewed 2 times

  • 1.  redirect problem with radius auth

    Posted May 25, 2012 02:59 AM

    Hello,

     

    We have aruba clearpass with Nortel 2380 NAS. Aruba is connected to management network and LAN, switch is also connected to management network and same LAN as aruba. I have made webportal redirect from switch to aruba and I have radius configured.

    Redirecting clients to aruba portal is working fine, but radius authentication is looping back to aruba portal and I don't see any logs entries in aruba radius debug log.

    When I try to test radius authentication from switch to aruba I see authentication request coming from switch LAN IP but switch is declaring its NAS-IP-address as management network ip. I also see this management network IP on captive portal URL as portal_id=xx.xx.xx.xx why is that?

     

    captive portal URL: http://aruba.test.cc/confirmation.php?portal_ip=172.16.8.130&client_id=1c:65:9d:68:d3:d4&wbaredirect=http://www.google.com/

     

    testing radius from switch to radius

    Aruba LAN IP 192.168.134.4

    Nortel 2830 switch LAN IP 192.168.134.3

    Nortel 2830 management IP: 172.16.8.130

     

    radius debug log http://dl.dropbox.com/u/41978197/radius_debug.txt

     

    can someone please point me to right direction?

     

    thanks,

    Kristjan

       



  • 2.  RE: redirect problem with radius auth

    Posted May 25, 2012 08:59 AM

     

    Well - the controller use it's default IP for radius communication, so this is the one you'll have to add as Radius NAS device on Clearpass. It should say in the Clearpass Radius log that it rejects the login due to unknown device, and you'll see the IP address of your Controller.

     

    For Aruba Controller you have the option to say which IP or VLAN to use for Radius communication, but I never got that to work so instead I changed the default controller IP to the one in the corresponding vlan.



  • 3.  RE: redirect problem with radius auth

    Posted Jun 01, 2012 01:27 PM

    Assuming you are using ClearPass Guest and not Policy Manager, what do you have configured in the weblogin page for Vendor Settings and Address? It sounds like the credentials being submitted in the captive portal form are not being posted back to the Nortel NAS.



  • 4.  RE: redirect problem with radius auth

    Posted Jun 05, 2012 08:03 AM

     

    Or the Radius isn't configured to be the authentication server for the login-role on the NAS - however that is handled on Nortel :)

    Reason is that you would see if the NAS tried to authenticate the user after the redirect even if it's denied on the Clearpass Radius as unknown radius device.