Wireless Access

Reply
Occasional Contributor II

Clearpass Captive Portal Loop

I have Clearpass setup with a captive portal page that requires email verification from a sponsor. The users fill out the form, gets accepted, logs in, goes to the "You are being logged into the network...", then they are routed back to the original registration page. If they try to navigate out of the captive portal page, it either goes right back to captive portal page again or sometimes sends them to a page with a ERR_CERT_AUTHORITY_INVALID error. 

 

-Captive portal profile configured with

https://clearpass.customer.com/guest/guest_register_IAP.php

-They are connected to our DHCP and pulling an IP

-DNS is public

-NAS login address set to captiveportal-login.customer.com

-I can see their active sessions in ClearPass

 

 

I am fairly new to this system and wasn't the one who set it up, so if I am missing any pertinent information let me know. Reading through other threads and looking at the setup, I don't see any obvious setting that are incorrect. Can anyone point me in the direction of where this might be going wrong?

Occasional Contributor II

Re: Clearpass Captive Portal Loop

Is there a valid certificate for the IAP-VC to use for captiveportal-login.customer.com?

 

At this point it is getting redirected to the virtual controller for login.

 

Occasional Contributor II

Re: Clearpass Captive Portal Loop

On the Policy Manager we have clearpass.customer.com for the RADIUS Server Certificate and we have 4 certificates under HTTPS server certificate that all show as valid. Two are labeled Intermediate CA and one Root CA

 

Thanks for the reply

Occasional Contributor II

Re: Clearpass Captive Portal Loop

I assume you aren't getting any access tracker entries on Policy Manager?

 

Also be sure to check the event log on Policy Manager in case of a shared secret mismatch for RADIUS.

Occasional Contributor II

Re: Clearpass Captive Portal Loop

Yes that is correct, the only access tracker entries I have seen so far are from me logging into it. Same thing with Event Viewer, nothing other than me logging in as the admin and some auto cleanup stuff. 

Occasional Contributor II

Re: Clearpass Captive Portal Loop

Did you check the Instant configuration for certificates? 

 

You mention captiveportal-login.customer.com for the NAS IP address. That lives on the Instant APs themselves and not Clearpass. 

 

The default certificate that comes with the IAPs is securelogin.arubanetworks.com. This isn't trusted so it is recommended to change it. However- I would recommend trying this address for troubleshooting or even putting in the IAP Virtual IP instead.

 

 

Occasional Contributor II

Re: Clearpass Captive Portal Loop

I just checked the certificates on the IAPs VC and they have 3 from aruba, two of which have that "securelogin.arubanetworks.com" under issuer. I tried adding that to the NAS address but the only thing that changed was I went to the "Site not secure" splash page and had to click to proceed before getting routed to the captive portal page again. On Airwaves I have a CustomerWildcard cert that says it is for Captive Portal but I don't see that on the VCs themselves. Im guessing there's some simple issue with the certifications im missing? Should the certs showing on Clearpass match the ones on the IAPs?

Occasional Contributor II

Re: Clearpass Captive Portal Loop

They do not need to be the same. I generally like to use a wildcard for all of them. captiveportal-login.customer.com is meant to be used with a wildcard certificate. Otherwise it would be the hostname of the IAP-VC. 

 

What are you using for IP address assignment? The internal IAP-VC DHCP or an external DHCP server?

 

Have you enabled Dynamic RADIUS proxy so that the RADIUS requests all come from the VC? Does the VC have a virtual IP address assigned for the cluster?

Occasional Contributor II

Re: Clearpass Captive Portal Loop

Oh okay, so that part is correct then. I am not using the IAP-VC for DHCP, they are just pointed at our DHCP server as is the RADIUS configuration. I will have to get back to you about the Dynamic RADIUS proxy and virtual IP for the cluster though, I am not familiar with those settings. I will continue looking into that. Thanks for all the help so far

Occasional Contributor II

Re: Clearpass Captive Portal Loop

Sorry I had a bit of a no-duh moment there. Yes the VCs have a virtual IP and they do have the Dynamic proxy set as RADIUS

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: