Wireless Access

Reply
Frequent Contributor I

Clearpass Captive Portal does not work on 1 particular controller

I demoted a 7240 from master to local and now clearpass captive portal clients that terminate on this controller can't get internet access. The other 3 local controller works just fine.

 

When opening a browser, even after self registration, the client is always redirected back to the same login/registration page.

 

Here's the datapath session:

NOTE: I relabeled the IPs so it is clear which one they are.

 

(local-aruba-wc1) #show datapath session table 10.client-IP


Datapath Session Table Entries
------------------------------

Flags: F - fast age, S - src NAT, N - dest NAT
       D - deny, R - redirect, Y - no syn
       H - high prio, P - set prio, T - set ToS
       C - client, M - mirror, V - VOIP
       Q - Real-Time Quality analysis
       I - Deep inspect, U - Locally destined
       E - Media Deep Inspect, G - media signal
       r - Route Nexthop
       A - Application Firewall Inspect


Source IP       			Destination IP  Prot SPort DPort  Cntr    Prio ToS Age Destination TAge Packets    Bytes      Flags
--------------- 			--------------- ---- ----- ----- -------- ---- --- --- ----------- ---- ---------  --------- ---------------
134.local-DNS-IP   			10.client-IP    			17   53    31365  0/0     0    0   0   tunnel 2961 5    1          216        FI
134.local-controller-IP     10.client-IP    			6    8081  36016  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
10.client-IP    			54.230.87.216   			6    36016 443    1/15787 0    0   0   tunnel 2961 5    10         860        FNCI
54.230.87.216  				10.client-IP    			6    443   36018  0/0     0    0   0   local       5    9          6702       F
10.client-IP    			54.230.87.216   			6    36017 443    1/15787 0    0   0   tunnel 2961 5    10         860        FNCI
			
			
10.client-IP    			54.230.87.216   			6    36018 443    1/15787 0    0   0   tunnel 2961 5    11         912        FNCI
54.230.87.237   			10.client-IP    			6    443   34369  0/0     0    0   0   local       5    9          6718       F
134.local-controller-IP     10.client-IP    			6    8081  34370  0/0     0    0   0   tunnel 2961 5    9          6718       FSI
134.local-controller-IP     10.client-IP    			6    8081  34372  0/0     0    0   0   tunnel 2961 5    9          6718       FSI
134.local-controller-IP     10.client-IP    			6    8081  39378  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
			
			
134.local-controller-IP     10.client-IP    			6    8081  39380  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
10.client-IP    			134.local-DNS-IP    		17   18452 53     0/0     0    0   1   tunnel 2961 e    1          58         FCI
134.local-DNS-IP    		10.client-IP    			17   53    23931  0/0     0    0   0   tunnel 2961 5    1          355        FI
10.client-IP    			134.local-DNS-IP 		    17   26262 53     0/0     0    0   1   tunnel 2961 b    1          62         FCI
134.local-DNS-IP    		10.client-IP    			17   53    26262  0/0     0    0   1   tunnel 2961 b    1          119        FI


10.client-IP    			134.local-DNS-IP    		17   12032 53     0/0     0    0   1   tunnel 2961 e    1          66         FCI
10.client-IP    			134.local-controller-IP     6    50592 8081   0/0     0    0   1   local       f    0          0          FY
134.local-DNS-IP    		10.client-IP    			17   53    13345  0/0     0    0   1   tunnel 2961 e    1          120        FI
134.local-DNS-IP    		10.client-IP    			17   53    2021   0/0     0    0   1   tunnel 2961 e    1          133        FI
54.192.87.254   			10.client-IP    			6    443   35104  0/0     0    0   0   local       5    10         6754       F


10.client-IP    			134.local-DNS-IP    		17   13345 53     0/0     0    0   1   tunnel 2961 e    1          62         FCI
134.local-controller-IP     10.client-IP    			6    8081  35103  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
10.client-IP    			134.local-controller-IP     6    35685 8081   0/0     0    0   0   local       5    0          0          FY
10.client-IP    			134.local-controller-IP     6    36017 8081   0/0     0    0   0   local       5    0          0          FY
104.16.27.235   			10.client-IP    			6    443   35685  0/0     0    0   0   local       5    9          6702       F


54.192.87.254   			10.client-IP    			6    443   35105  0/0     0    0   0   local       5    10         6754       F
10.client-IP    			134.local-controller-IP     6    36016 8081   0/0     0    0   0   local       5    0          0          FY
10.client-IP    			134.local-controller-IP     6    36018 8081   0/0     0    0   0   local       5    0          0          FY
134.local-controller-IP     10.client-IP    			6    8081  39379  0/0     0    0   0   tunnel 2961 5    9          6702       FSI
72.21.207.136   			10.client-IP    			6    443   39377  0/0     0    0   0   local       5    9          6702       F


10.client-IP    			134.local-DNS-IP    		17   13182 53     0/0     0    0   0   tunnel 2961 5    1          64         FCI
134.local-DNS-IP    		10.client-IP    			17   53    25780  0/0     0    0   1   tunnel 2961 e    1          124        FI
134.local-DNS-IP    		10.client-IP    			17   53    26025  0/0     0    0   1   tunnel 2961 5    1          455        FI
134.local-controller-IP     10.client-IP    			6    8081  34371  0/0     0    0   0   tunnel 2961 5    9          6718       FSI
52.24.144.52    			10.client-IP    			6    443   60702  0/0     0    0   0   0/0/5       5    0          0          FDC


10.client-IP    			104.16.27.235   			6    35685 443    1/15787 0    0   1   tunnel 2961 5    10         1171       FNCI
10.client-IP    			134.local-DNS-IP   			17   31365 53     0/0     0    0   1   tunnel 2961 5    1          67         FCI
10.client-IP    			134.local-DNS-IP    		17   21527 53     0/0     0    0   1   tunnel 2961 5    1          59         FCI
134.local-controller-IP     10.client-IP    			6    8081  35106  0/0     0    0   1   tunnel 2961 5    9          6702       FSI
134.local-DNS-IP    		10.client-IP    			17   53    18452  0/0     0    0   1   tunnel 2961 e    1          133        FI


192.243.232.36  			10.client-IP    			6    443   49650  0/0     0    0   0   0/0/5       3    4          372        FDC
72.21.91.97     			10.client-IP    			6    443   45029  0/0     0    0   0   0/0/5       8    0          0          FDC
192.243.232.58  			10.client-IP    			6    443   38166  0/0     0    0   0   0/0/5       3    4          372        FDC
192.243.232.58  			10.client-IP    			6    443   38170  0/0     0    0   0   0/0/5       3    4          372        FDC
192.243.232.58  			10.client-IP    			6    443   38167  0/0     0    0   0   0/0/5       3    4          372        FDC


10.client-IP    			173.194.203.188 			6    34656 5228   0/0     0    0   0   tunnel 2961 2    1          60         FDYC
192.243.232.36  			10.client-IP    			6    443   49651  0/0     0    0   0   0/0/5       3    4          372        FDC

(local-aruba-wc1) #

Thanks.

Guru Elite

Re: Clearpass Captive Portal does not work on 1 particular controller

Are you using the same captive portal certificate on every controller? (recommended)
What do you have set for the network login address in the guest login configuration?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Clearpass Captive Portal does not work on 1 particular controller

Different for all 4 locals but there is a script on clearpass that should fix this. The x.x.2.50 is the the local controller that doesn't work.

 

{if !$extra_fields.cn}
  {if $extra_fields.switchip == "x.x.2.50"}
    {assign var="hostname" value ="local-controller-aruba-wc1.csu.net"} 
  {elseif $extra_fields.switchip == "x.x.2.54"}
    {assign var="hostname" value ="local-controller-aruba-wc1.csu.net"}
  {elseif $extra_fields.switchip == "x.x.2.58"}
    {assign var="hostname" value ="local-controller-aruba-wc2.csu.net"}
   {elseif $extra_fields.switchip == "x.x.2.62"}
    {assign var="hostname" value ="local-controller-aruba-wc2.csu.net"}
  {else}
    {assign var="hostname" value =$extra_fields.switchip}
  {/if}
  <meta http-equiv="refresh" content="0;url=/guest/{$script_name}.php?switchip={$hostname|rawurlencode}&cn=1&_browser=1">
{/if}

 

 

Guru Elite

Re: Clearpass Captive Portal does not work on 1 particular controller

1. Doing it that way is really not recommended
2. What is the output of "show datapath fqdn" from that controller?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Clearpass Captive Portal does not work on 1 particular controller

Thanks for the quick reply

 

1) What's the best way?

2) It shows the controllers hostname + csu*.net

Guru Elite

Re: Clearpass Captive Portal does not work on 1 particular controller

1) Use the same generic captive portal certificate on all of your controllers

2) Does that match what is configured in ClearPass?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Clearpass Captive Portal does not work on 1 particular controller

1) Would this show HTTPS errors? We try not to let clients see 'error' stuffs if possible.

2) Yes, this is exactly what's on the script.

 

 

thanks.

Guru Elite

Re: Clearpass Captive Portal does not work on 1 particular controller

1. No, it wouldn't
2. Best to open a TAC case then

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor I

Re: Clearpass Captive Portal does not work on 1 particular controller

I will. Thanks.

Frequent Contributor I

Re: Clearpass Captive Portal does not work on 1 particular controller

UPDATE:

 

The problem all this time is mismatched RADIUS key between the controller and clearpass.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: