Wireless Access

Reply
Frequent Contributor II

IAP route to CPPM in DMZ

Hi All,

I have a customer with a number of IAP clusters at different branches. All have a VPN back to a core controller wwhich has an interface into the DMZ network where we host a clearpass for guest only.

The sites seem to have lost the ability to authenticate guest users although the users can reach the page on CP and create accounts. The VPNs are reported as up on the controller. I don't see any events in access tracker or event viewer on CPPM for these sites. The sites have a low count of users so I am not sure when this issue began although a little while ago we upgraded due to the KRACK vulnerability.

The IAPs are 13x series running 6.4.4.8-4.2.4.9_61734 and the controller is a 7210 running 6.5.3.3 and the VPNs terminate on a VRRP.

The only thing so far that has caught my attention is that the routing table looks different on the cluster that has been reported as not working - on another cluster it has routes (show ip route) to the DMZ address for the CPPM.

Any ideas?

Re: IAP route to CPPM in DMZ

Have you made any changes to the IAP settings? The fact that the client can access the CPPM and register for an account suggests the connectivity is there.

 

Do you see any errors or warnings on the client when they enter their credentials? Have you ran a packet capture on the CPPM to determine what is happening between the client and the CPPM?


ACMA, ACMP, ACSA
If my post addresses your query, give kudos:)
Frequent Contributor II

Re: IAP route to CPPM in DMZ

There have been no changes made other than upgrading the code. I agree there is connectivity as they are seeing the pages however authentication is not taking place. I do not think that RADIUS traffic is reaching clearpass as there is nothing in the logs and controller-based sites are working fine. The client is just looping back to the sign-up page - a classic symptom i've seen seen before when the RADIUS auth part fails for some reason.

Interestingly after having a bit of a poke around I have noticed that the routing tables are now the same even though I haven't changed anything.

Re: IAP route to CPPM in DMZ

Are you guys allowing RADIUS communication under your IAP-role on the controller ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor II

Re: IAP route to CPPM in DMZ

I believe so, they are in the default-vpn-role which has the allow-all policy in it.

Frequent Contributor II

Re: IAP route to CPPM in DMZ

Another thing I have noticed is that when I do a "show user" the IAP is listed as using the "default-iap" under the Profile column, presumably a AAA profile but I dont't see this in the list under all profiles>Wireless LAN>AAA section?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: