All,
I'm working through a configuration in my lab with a MAS S3500 running 7.3.2.2 and Clearpass. I'm trying to put together one of those configs that has everything working - it makes it easier to copy and paste when I'm with a customer. I should have gotten around to this a while ago, but better late than never!
I have been able to get 802.1x, Mac auth, and 802.1x + Mac auth working without too much of an issue. The problem that I'm running into really seems basic, but I'm currently at a loss.
The problem occurs when I attempt I'm placed in the captive portal role and I attempt to go to the Clearpass Guest page. I've tried it on three different browers and they all hang. I can manually enter the URL from the login page and it works without issue, exactly what I expect. It "feels" like the problem on the ArubaOS side when you don't have an ACL specifically for Clearpass in your Captive Portal role. On the MAS side, you'll see below that there is a netdestination that allows traffic to my CPPM server.
I have the following user role in the MAS config:
user-role ToP-CPPM-Guest-CP
vlan 18
captive-portal "ToP-CPPM-Portal"
!
Here's the captive portal config:
aaa authentication captive-portal "ToP-CPPM-Portal"
default-role "authenticated"
server-group "Clearpass"
protocol-http
login-page "http://192.168.102.253/guest/guest_register_login.php"
!
Here's the AAA config:
aaa profile "ToP-Guest-AAA-Profile"
initial-role "ToP-CPPM-Guest-CP"
authentication-mac "ToP-Mac-Auth"
mac-default-role "authenticated"
mac-server-group "Clearpass"
radius-accounting "Clearpass"
radius-interim-accounting
enforce-dhcp
!
Here's the port configuration:
!
interface gigabitethernet "0/0/38"
mstp-profile "ToP-BPDU-Guard"
lldp-profile "lldp-factory-initial"
poe-profile "poe-factory-initial"
aaa-profile "ToP-Guest-AAA-Profile"
description "Captive Portal with Caching port"
switching-profile "ToP-Access"
no trusted port
!
When I connect to port gig0/0/38, there's a MAC Auth / Caching error in Access Tracker, as expected, and then I'm placed in the correct role in the user-table:
192.168.18.10 40:6c:8f:36:de:44 40:6c:8f:36:de:44 ToP-CPPM-Guest-CP 00:00:15 No Wired 0/0/38 ToP-Guest-AAA-Profile 18 (18)
A view of the station table show the following:
(ToP-S3500) #show station-table mac 40:6c:8f:36:de:44
Association Table
-----------------
BSSID IP Essid AP name Phy Age
--------------- ----------- ------- ------- --- ---
01:80:c2:00:00:03 0.0.0.0 N/A - b 00:00:16
A show rights on the role shows the correct settings:
(ToP-S3500) #show rights ToP-CPPM-Guest-CP
Derived Role = 'ToP-CPPM-Guest-CP'
Assigned VLAN = 18
Periodic reauthentication: Disabled
ACL Number = 39/0/40
Captive Portal profile = ToP-CPPM-Portal
access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 ToP-CPPM-Portal stateless
ToP-CPPM-Portal
---------------
Priority Source Destination Service Action TimeRange Log Expired QoS Policer Blacklist Mirror IPv4 Nexthop
-------- ------ ----------- ------- ------ --------- --- ------- --- ------- --------- ------ ---- -------
1 user ToP-CPPM-Portal-allow-ip svc-http permit 4
2 any any svc-http dst-nat 8080 4
3 any any svc-https dst-nat 8081 4
4 any any svc-dns permit 4
5 any any svc-dhcp permit 4
Expired Policies (due to time constraints) = 0
(ToP-S3500) # show netdestination ToP-CPPM-Portal-allow-ip
ToP-CPPM-Portal-allow-ip
------------------------
Position Type IP addr Mask-Len/Range
-------- ---- ------- --------------
1 host 192.168.102.253 32
I'm just at a loss on this one. I feel like there's some knob that I'm missing and I'm sure it's going to be a eureka moment when it's pointed out.
Thanks for all of the help!
-Mike