Wireless Access

I have Clearpass setup with a captive portal page that requires email verification from a sponsor. The users fill out the form, gets accepted, logs in, goes to the "You are being logged into the network...", then they are routed back to the original registration page. If they try to navigate out of the captive portal page, it either goes right back to captive portal page again or sometimes sends them to a page with a ERR_CERT_AUTHORITY_INVALID error. 

-Captive portal profile configured with

https://clearpass.customer.com/guest/guest_register_IAP.php

-They are connected to our DHCP and pulling an IP

-DNS is public

-NAS login address set to captiveportal-login.customer.com

-I can see their active sessions in ClearPass

I am fairly new to this system and wasn't the one who set it up, so if I am missing any pertinent information let me know. Reading through other threads and looking at the setup, I don't see any obvious setting that are incorrect. Can anyone point me in the direction of where this might be going wrong?

Is there a valid certificate for the IAP-VC to use for captiveportal-login.customer.com?

At this point it is getting redirected to the virtual controller for login.

On the Policy Manager we have clearpass.customer.com for the RADIUS Server Certificate and we have 4 certificates under HTTPS server certificate that all show as valid. Two are labeled Intermediate CA and one Root CA

Thanks for the reply

I assume you aren't getting any access tracker entries on Policy Manager?

Also be sure to check the event log on Policy Manager in case of a shared secret mismatch for RADIUS.

Yes that is correct, the only access tracker entries I have seen so far are from me logging into it. Same thing with Event Viewer, nothing other than me logging in as the admin and some auto cleanup stuff. 

Did you check the Instant configuration for certificates? 

You mention captiveportal-login.customer.com for the NAS IP address. That lives on the Instant APs themselves and not Clearpass. 

The default certificate that comes with the IAPs is securelogin.arubanetworks.com. This isn't trusted so it is recommended to change it. However- I would recommend trying this address for troubleshooting or even putting in the IAP Virtual IP instead.

I just checked the certificates on the IAPs VC and they have 3 from aruba, two of which have that "securelogin.arubanetworks.com" under issuer. I tried adding that to the NAS address but the only thing that changed was I went to the "Site not secure" splash page and had to click to proceed before getting routed to the captive portal page again. On Airwaves I have a CustomerWildcard cert that says it is for Captive Portal but I don't see that on the VCs themselves. Im guessing there's some simple issue with the certifications im missing? Should the certs showing on Clearpass match the ones on the IAPs?

They do not need to be the same. I generally like to use a wildcard for all of them. captiveportal-login.customer.com is meant to be used with a wildcard certificate. Otherwise it would be the hostname of the IAP-VC. 

What are you using for IP address assignment? The internal IAP-VC DHCP or an external DHCP server?

Have you enabled Dynamic RADIUS proxy so that the RADIUS requests all come from the VC? Does the VC have a virtual IP address assigned for the cluster?

Oh okay, so that part is correct then. I am not using the IAP-VC for DHCP, they are just pointed at our DHCP server as is the RADIUS configuration. I will have to get back to you about the Dynamic RADIUS proxy and virtual IP for the cluster though, I am not familiar with those settings. I will continue looking into that. Thanks for all the help so far

Sorry I had a bit of a no-duh moment there. Yes the VCs have a virtual IP and they do have the Dynamic proxy set as RADIUS

This what I see for certificates on my IAP here. Just the default Aruba certificate for the captive portal. Redirection when it is like this will only work to securelogin.arubanetworks.com. 

In Clearpass also verify that the NAS login settings show controller-initiated not server-initiated.

Yeah it is definitely on controller-initiated, the NAS address disappears if you switch off that. Sounds like the you have a similar setup with the certificates then. We do have a portion of the network using AP-105s which is still working. They just have a standard password instead of a sponsor. The only main difference I can see is the role_id but changing that doesn't do much. 

Just wanted to add some more info today in case anyone else took a loot. I checked the firewall and don't see any traffic being blocked. I am able to get the IP from DHCP, DNS works and my IP is in the correct subnet. Also, I can use nslookup to find IP addresses for common sites while connected to Guest like yahoo and cnn but cant actually connect to anything. 

Do you see anything in event viewer in Clearpass?

Try to do an auth test from the cli of the IAP and see if that shows up in access tracker.

aaa test-server <servername> username <username> password <passwd> auth-type pap

The event view is mostly just Admin UI logging in and Auto Cleanup. There are 3 instances of RADIUS Authentication errors from 2 days ago all within a couple minutes of eachother, but considering I have been working on this for a few days and thats the first time I've seen that error I think it may just be coincidence or related to something else. 

I ran the command:

aaa test-server clearpass username username password password auth-type pap 

The username and password were the temporary Guest credentials I got after being accepted by a sponsor. Which came up as "The RADIUS server clearpass not existing".

I tried "nslookup clearpass" on my computer and on the router and both were able to resolve it so I am not sure why it is saying it doesn't exist. 

Update to the RADIUS server. My issue was I didn't capitalize. Using a show radius-servers command I see the ClearPass server, with 2 IAPs connected. The aaa test-server command times out though

If that command times out it is usually one of two things.  Either the shared secret is wrong or there is no route to CPPM.

An incorrect shared secret will show in the event viewer.

You could also try a capture on the cppm end just to make sure the packets are actually getting there.  Go to Administration --> Server Manager --> Server Configuration.  Click on your cppm and then collect logs.