Wireless Access

Reply
Occasional Contributor I

5760 controller with 3.7 code, not getting redirect page from Clear pass

i am tring to configure the 5760controller redirecting to clear pass web page for AUTH, but some config is getting messed up and not getting the page.

 

Any one has the complete config for 5760? do we need parameter map in 5760?

 

Thanks

 

Guru Elite

Re: 5760 controller with 3.7 code, not getting redirect page from Clear pass

We need more details.  What are you trying to do and what have you tried to make it work?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I

Re: 5760 controller with 3.7 code, not getting redirect page from Clear pass

hi colin,

 

attached the configs,

 

I am always getting the web-auth page from the controller and not from clear pass,

Mac auth is working fine. But whn mac-auth failes, i suppose to get the page from clear pass which is not getting. instead getting it from the controller.

 

New Contributor

Re: 5760 controller with 3.7 code, not getting redirect page from Clear pass

Hi Im workign here with Selvaraj,

 

The CPPM is at version 6.4.4.7

 

Error Code:
206
Error Category:
Authentication failure
Error Message:
Access denied by policy
 Alerts for this Request  
Policy serverFailed to construct filter=SELECT user_id as guest_device_user FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard') AND (enabled = 't') AND ((expire_time is null) OR (expire_time > CURRENT_TIMESTAMP))).
Failed to get value for attributes=[UserName]
RADIUSEDR-MAC-CHECK - 9.0.44.149: User not found.
[Endpoints Repository] - localhost: User not found.
Applied 'Reject' profile

 

Were seeing it reject the MAC-CHECK and expect to see it redirect to the Web Server

Re: 5760 controller with 3.7 code, not getting redirect page from Clear pass

If you have mac caching enabled this is a normal behavior .

Initially the mac auth will fail when the mac address of device is unknown by ClearPass and then it will be redirected to the captive portal

 

On the Cisco Controller you need to do the following:

- Layer 2 needs to be Mac auth Filtering

- Layer 3 enabled Web policy Authentication 

  - Enabled ACL override 

  - Assign the Preauth ACL

  - Type the URL redirect of guest captive portal page (https://<clearpassserver>/guest/<pagename>.php)

 

ClearPass you need the following:

- Create two services from the template : Guest Mac Auth

- Also Set the reject packet delay to "0" 

2015-02-02 17_54_06-ClearPass Policy Manager - Aruba Networks.png

 

 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor I

Re: 5760 controller with 3.7 code, not getting redirect page from Clear pass

Ok. I think i got nailed with cisco TAC. Here is the URL i got from cisco engineer.

 

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/116877-technote-wlan-00.html#anc16

 

He helped me to get this working to some level. I am still trying for the full working config of MAC-filter + web-auth. So once i have this i will send the full template here.

Occasional Contributor I

Re: 5760 controller with 3.7 code, not getting redirect page from Clear pass


aaa new-model
aaa session-id common
!
aaa authentication login default group tacacs+ local
!
aaa authentication login LOG-AUTH group ClearPass-RADIUS
aaa authorization network NET-AUTH group ClearPass-RADIUS
aaa authorization network LOG-AUTH group ClearPass-RADIUS

!
!
!
!
!
!
!
radius server Clearpass1
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 key 7 passwd
!
radius server Clearpass2
 address ipv4 x.x.x.x auth-port 1812 acct-port 1813
 key 7 passwd
!
!

!
aaa group server radius ClearPass-RADIUS
 server name Clearpass1
 server name Clearpass2
 subscriber mac-filtering security-mode mac
!
!
!
!
!

!
!

 

wlan SSID-LAB 23 SSID-LAB
 band-select
 client vlan default-non-usable
 no exclusionlist
 ip access-group web ACL-REDIRECT
 mac-filtering NET-AUTH
 peer-blocking drop
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no security ft over-the-ds
 security web-auth
 security web-auth authentication-list LOG-AUTH
 security web-auth on-macfilter-failure
 security web-auth parameter-map LOG-Redirect
 session-timeout 1800
 no shutdown

 


parameter-map type webauth global
 virtual-ip ipv4 172.16.253.253
 max-http-conns 200

parameter-map type webauth LOG-Redirect
 type webauth
 redirect for-login https://<Clear pass IP>/guest/cisco.php
 redirect portal ipv4 <Clear pass IP>

 


ip access-list extended ACL-REDIRECT
 permit udp any eq bootps any
 permit udp any any eq bootpc
 permit udp any eq bootpc any
 permit udp any any eq domain
 permit udp any eq domain any
 permit ip any host <Clear pass IP>
 permit ip host <Clear pass IP> any

 

 

This is the config i am using, Unfortunatly, i get web page from clear pass ,the pre-auth works from clear pass. but the web-auth is not going to clear pass and looping back and from on vitual IP in 5760. Since the web-auth timing out from clear-pass, not getting successfull and looping back to authendication.

New Contributor

Re: 5760 controller with 3.7 code, not getting redirect page from Clear pass

I am also facinf the same issue, Did u get this fixed

 

Regards

Nikhil

Occasional Contributor I

Re: 5760 controller with 3.7 code, not getting redirect page from Clear pass

No,

 

i Switched to CISCO ISE box, and all worked for me. i was not able to test any further with clearpass.

Sorry about it.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: