Wireless Access

I have inherited an Aruba setup which is showing some strange behaviour.

There is a guest SSID which is authenticating with clear pass guest. After the users reach the captive portal and enter their email address they are meant to be redirected to the public website of the company, but instead they are getting stuck at securelogon.domain.com and given a message that the URL cannot be resolved.

Now what is very strange is that this is not happening for all users, and not at all sites. To begin with when this came to my attention we were able to resolve by moving the ap-group to a different controller, but now it seems to be happening with a random subset of users/sites regardless of which controller they are on(we have a cluster of 4 wlc's)

Any idea where I can start looking or how to trouble shoot this? I have a TAC case open but it's painful to say the least.

I can provide more specifics on the setup when required

Execute "show web-server profile" on both controllers on the commandline.  Make sure that both Captive Portal Certificate is "default".

So it seems we have a mix of "default" and "server_cert". MasterWLC and BackupWLC are our management devices and LocalWLC1-4 are what the AP's actually sit on. The AP-G's have been configured so that if LocalWLC1 is its primary then LocalWLC2 will be its secondary, or vice-versa. The same with WLC3 and 4 - An AP-G will have one as primary and the other as its secondary

 

MasterWLC) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 default
Captive Portal Certificate                         server_cert
IDP Certificate                                    default
Management user's WebUI access method              username/password
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           3600
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            false
Web Skype4B Listen Protocol/Port Config            N/A
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false

----------------------------------------------------------------

BackupWLC) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 default
Captive Portal Certificate                         server_cert
IDP Certificate                                    default
Management user's WebUI access method              username/password
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            false
Web Skype4B Listen Protocol/Port Config            N/A
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false


-------------------------------------------------------------

LocalWLC1) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 default
Captive Portal Certificate                         server_cert
IDP Certificate                                    default
Management user's WebUI access method              username/password
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            false
Web Skype4B Listen Protocol/Port Config            N/A
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false

--------------------------------------------------------------

-LocalWLC2) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 default
Captive Portal Certificate                         default
IDP Certificate                                    default
Management user's WebUI access method              username/password
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            false
Web Skype4B Listen Protocol/Port Config            N/A
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false

---------------------------------------------------------------

-LocalWLC3) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 default
Captive Portal Certificate                         default
IDP Certificate                                    default
Management user's WebUI access method              username/password
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            false
Web Skype4B Listen Protocol/Port Config            N/A
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false

--------------------------------------------------------------

LocalWLC4) #show web-server profile

Web Server Configuration
------------------------
Parameter                                          Value
---------                                          -----
Cipher Suite Strength                              high
SSL/TLS Protocol Config                            tlsv1 tlsv1.1 tlsv1.2
Switch Certificate                                 default
Captive Portal Certificate                         server_cert
IDP Certificate                                    default
Management user's WebUI access method              username/password
User absolute session timeout <30-3600> (seconds)  0
User session timeout <30-3600> (seconds)           900
Maximum supported concurrent clients <25-320>      75
Enable WebUI access on HTTPS port (443)            false
Web Skype4B Listen Protocol/Port Config            N/A
Enable bypass captive portal landing page          false
Exclude Security Headers from HTTP Response        false

The reason why this is important, because the controller intercepts DNS requests for whatever server certificate is uploaded to the controller.  Since ClearPass looks like it is pointing to securelogin.arubanetworks.com, that Captive Portal will only work when a user is on the LocalWLC4 controller, which has the default Captive Portal certificate which points to securelogin.arubanetworks.com.  It probably won't work on the other two unless they have a special captive portal profile that points it to a different page on the ClearPass Server that sends a submit to whatever fqdn is configured on the Captive Portal Certificate.

 

Long Story short, you would need to change all of the Captive Portal Certificates back to default for this to work on all controllers, based on how ClearPass seems to be configured.

 

There are other ways to fix this, but that is the easiest, for now.

ClearPass guest has securelogin.DOMAIN.com configured, not the standard Aruba URL. The server_cert on the WLC's has the matching name. If I change these back to default then I would have to change the config on clearpass guest as well to match?

Also we were moving ap-group to wlc1 which seemed to work for a while, and that one is configured with server_cert, not default cert

Did you maybe read it incorrectly? Wlc4 is actually also configured with server_cert

You are right. Clearpass needs to be changed to the fqdn of the server cert.

So let me get this straight, you say to use the default cert, and change CP guest back to using securelogin.arubanetworks.com on all controllers and the clearpass?

Or saying to change clearpass the use the fqdn of the server_cert. If the latter, then clearpass is already using the fqdn of the server cert

It would be easier to change ClearPass to the fqdn of the cert that is on all of your controllers.  It is not working, because ClearPass is referring to securelogin.arubantetworks.com, which the controller does not recognize.

 

I would honestly open a TAC case so that someone can look at this in detail.  I am giving you advice based on the limited information that you have given me in this thread.

 

http://www.arubanetworks.com/support-services/support-program/contact-support