Wireless Access

Reply
Occasional Contributor I

Clear Pass Redirect

Hi,

 

I am looking for additional troubleshooting steps to try and identifiy why clients on what appears to be random basis are not getting redirected to an internal website after a successful captive portal authentication. The client is approved in CPPM but is not acctualy provided access to the network.

 

The scenario is:

guest Aceess is sponsored

The sponsor approves access

the CPPM shows access is approved

The client web page refreshes and the client clicks the button to move forward

The client should then be redirected to an internal company web page (more than 90 percent of the time this works)

 - sometimes the client will not be redirected, and the client receives "the network you are trying to use may require a logon"

This happens from time to time on random IOS, Android, Mac OS and Windows machines.

 

I have checked the cretificates, they are in good order.

 

Can someone provide possible next steps?

Aruba Employee

Re: Clear Pass Redirect


@Airbud wrote:

Hi,

 

I am looking for additional troubleshooting steps to try and identifiy why clients on what appears to be random basis are not getting redirected to an internal website after a successful captive portal authentication. The client is approved in CPPM but is not acctualy provided access to the network.

 

The scenario is:

guest Aceess is sponsored

The sponsor approves access

the CPPM shows access is approved

The client web page refreshes and the client clicks the button to move forward

The client should then be redirected to an internal company web page (more than 90 percent of the time this works)

 - sometimes the client will not be redirected, and the client receives "the network you are trying to use may require a logon"

This happens from time to time on random IOS, Android, Mac OS and Windows machines.

 

I have checked the cretificates, they are in good order.

 

Can someone provide possible next steps?


When this problem occurs, if the user tries to access another website are they redirected back to ClearPass to authenticate?


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: Clear Pass Redirect

Charlie,

 

when the user attempts to navigate away to another page they are redirected to the CPPM Portal page for Authentication.

Aruba Employee

Re: Clear Pass Redirect


@Airbud wrote:

when the user attempts to navigate away to another page they are redirected to the CPPM Portal page for Authentication.


Okay, that confirms the user is not moved from the pre-auth role to the authenticated role.

 

What version of AOS is running on the controller? What version of ClearPass is running? Does ClearPass show an successful authentication to the controller via AccessTracker?


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: Clear Pass Redirect

So i never see the client service indicating that the user has been Accpeted.

 

The CPPM is version 6.6.3.89660

and the Controller version is 6.5.1.9

Aruba Employee

Re: Clear Pass Redirect


@Airbud wrote:

So i never see the client service indicating that the user has been Accpeted.

 

The CPPM is version 6.6.3.89660

and the Controller version is 6.5.1.9


Do you see the user being rejected?


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: Clear Pass Redirect

No I acctualy dont see a reference to the service at all.

Aruba Employee

Re: Clear Pass Redirect


@Airbud wrote:

No I acctualy dont see a reference to the service at all.


It sounds as though the controller is not triggered to authenticate the user.

 

You can use the command "show aaa authentication-server radius statistics" to watch the controller's attempts to authenticate guests via Radius. Since there's no accept/reject in ClearPass, it would show up on the controller as a timeout if the ClearPass portal page is getting the client to trigger the authentication attempt successfully.

 

Otherwise, you may need to turn on debugging to watch the client device's authentication attempts. It could be that they are hitting an idle timeout while waiting for the sponsor to approve access, or the device could be deciding to disconnect from the open SSID due to going to sleep, lack of Internet connectivity detected, or some other behavior. To enable the authentication debugging on the controller, enter the configuration terminal and apply the following config changes:

 

"logging level debugging security process authmgr"

"logging level debugging security subcat aaa"

 

When you notice the issue occur, "show log system 50" should give more insight into what went on.


Charlie Clemmer
Aruba Customer Engineering
Occasional Contributor I

Re: Clear Pass Redirect

Thanks for the help Charlie.

 

I will update this post when more information is gathered. 

Guru Elite

Re: Clear Pass Redirect

Post auth redirection cannot be guaranteed.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: