Wireless Access

last person joined: 9 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

IAP route to CPPM in DMZ

This thread has been viewed 0 times

  • 1.  IAP route to CPPM in DMZ

    Posted Nov 15, 2017 08:42 AM

    Hi All,

    I have a customer with a number of IAP clusters at different branches. All have a VPN back to a core controller wwhich has an interface into the DMZ network where we host a clearpass for guest only.

    The sites seem to have lost the ability to authenticate guest users although the users can reach the page on CP and create accounts. The VPNs are reported as up on the controller. I don't see any events in access tracker or event viewer on CPPM for these sites. The sites have a low count of users so I am not sure when this issue began although a little while ago we upgraded due to the KRACK vulnerability.

    The IAPs are 13x series running 6.4.4.8-4.2.4.9_61734 and the controller is a 7210 running 6.5.3.3 and the VPNs terminate on a VRRP.

    The only thing so far that has caught my attention is that the routing table looks different on the cluster that has been reported as not working - on another cluster it has routes (show ip route) to the DMZ address for the CPPM.

    Any ideas?



  • 2.  RE: IAP route to CPPM in DMZ

    MVP EXPERT
    Posted Nov 15, 2017 10:06 AM

    Have you made any changes to the IAP settings? The fact that the client can access the CPPM and register for an account suggests the connectivity is there.

     

    Do you see any errors or warnings on the client when they enter their credentials? Have you ran a packet capture on the CPPM to determine what is happening between the client and the CPPM?



  • 3.  RE: IAP route to CPPM in DMZ

    Posted Nov 15, 2017 10:13 AM

    There have been no changes made other than upgrading the code. I agree there is connectivity as they are seeing the pages however authentication is not taking place. I do not think that RADIUS traffic is reaching clearpass as there is nothing in the logs and controller-based sites are working fine. The client is just looping back to the sign-up page - a classic symptom i've seen seen before when the RADIUS auth part fails for some reason.

    Interestingly after having a bit of a poke around I have noticed that the routing tables are now the same even though I haven't changed anything.



  • 4.  RE: IAP route to CPPM in DMZ

    Posted Nov 15, 2017 10:51 AM
    Are you guys allowing RADIUS communication under your IAP-role on the controller ?

    Get Outlook for iOS


  • 5.  RE: IAP route to CPPM in DMZ

    Posted Nov 16, 2017 04:07 AM

    I believe so, they are in the default-vpn-role which has the allow-all policy in it.



  • 6.  RE: IAP route to CPPM in DMZ

    Posted Nov 16, 2017 04:38 AM

    Another thing I have noticed is that when I do a "show user" the IAP is listed as using the "default-iap" under the Profile column, presumably a AAA profile but I dont't see this in the list under all profiles>Wireless LAN>AAA section?