Security

 View Only
last person joined: 21 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Process of Captive Portal Authentication with ClearPass Guest

This thread has been viewed 125 times

  • 1.  Process of Captive Portal Authentication with ClearPass Guest

    Posted Jul 21, 2017 03:48 PM

    Hello guys,

     

    I can't completely understand how captive portal authentication with ClearPass Guest works. Could anyone explain in more detail steps 3 to 5 of the below picture?

    original.png

     

    I have read something about in some point of the process the client sends the credentials directly to ClearPass (skipping NAD), ClearPass replies directly to the client (skipping NAD again) and then client sends the credentials to NAD and then NAD to ClearPass. Also I have read something about ClearPass POST the user credentials to the NAD device? All this sounds very weird to me. Is there any documentation of the entire process? I have only found the following article:

     

    http://community.arubanetworks.com/t5/07-19-13-Expert-Day/How-does-captive-portal-authentication-really-work-with/td-p/87208

     

    But this is not explained in detail. I have also found this:

     

    http://www.arubanetworks.com/vrd/GuestAccessAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm

     

    Which is very well explained, but it doesn't include the part of ClearPass.

     

    Regards,

    Julián



  • 2.  RE: Process of Captive Portal Authentication with ClearPass Guest

    EMPLOYEE
    Posted Jul 21, 2017 04:01 PM

     

    3 and 4 are the local internal ClearPass credential check to the local user database.

     

    5 is where the client browser submits the credentials to the controller. The controller iniaates a RADIUS request to ClearPass. 

     

    6 - If authentication is successful, ClearPass response with an access accept. 

     

    What errors are you seeing? What isn't working?



  • 3.  RE: Process of Captive Portal Authentication with ClearPass Guest

    Posted Jul 21, 2017 04:31 PM

    Then let me know if this is correct:

     

    3 - When the client is entering the credentials in the Web Login page and click on "Login", are the credentials sent directly to ClearPass (with no intervention of NAD device)?

     

    4 - ClearPass checks the credentials in its database and reponds directly to client (again with no intervention of NAD device) saying "Logging in..." or "Invalid username or password".

     

    5 - Client sends credentials to NAD and NAD sends them in a RADIUS request to ClearPass.

     

    Regards,

    Julián



  • 4.  RE: Process of Captive Portal Authentication with ClearPass Guest

    EMPLOYEE
    Posted Jul 21, 2017 04:33 PM

    Yes



  • 5.  RE: Process of Captive Portal Authentication with ClearPass Guest

    Posted Jul 21, 2017 04:45 PM

    OK, perfect. Then there is not step where ClearPass sends the user credentials back to the NAD device, right?

     

    Regards,

    Julián



  • 6.  RE: Process of Captive Portal Authentication with ClearPass Guest

    EMPLOYEE
    Posted Jul 21, 2017 04:49 PM
    No. They're submitted through the browser to the controller.


  • 7.  RE: Process of Captive Portal Authentication with ClearPass Guest

    Posted Jul 21, 2017 04:52 PM

    OK, many thanks for the clarifications. Now I understand better this process.

     

    Regards,

    Julián



  • 8.  RE: Process of Captive Portal Authentication with ClearPass Guest

    Posted Jun 12, 2018 05:28 PM

    Hello! So, regading this same issue:

    3- When the customer clicks Login button, the user credentials are sent to the Clearpass directly? So, they aren't proxied by the NAD?

    4- ClearPass checks the credentials in its database and reponds directly to client (again with no intervention of NAD device).

    So what types of messages/response does it send back to the customer?

     

    I have a Clearpass enviroment and when I click Login always get: "Error 404: Page not found". So is this one of those messages I could get at step 4? Before the NAD even makes the RADIUS request?

     

    Thanks!



  • 9.  RE: Process of Captive Portal Authentication with ClearPass Guest

    Posted Jun 12, 2018 06:55 PM
    All the RADIUS communication is sent via the NAD (Authentication , Authorization)

    The only direct communication the client has with ClearPass is the captive portal page

    Sent from Mail for Windows 10


  • 10.  RE: Process of Captive Portal Authentication with ClearPass Guest

    Posted Oct 06, 2021 11:42 AM
    hi guys,

    I´d like to ask you, if someone can share a picture similar to the one Julián posted which shows the process for Guest Access using SMS authentication?!
    ​​
    Original Message


  • 11.  RE: Process of Captive Portal Authentication with ClearPass Guest

    EMPLOYEE
    Posted Oct 06, 2021 11:57 AM
    There is no Authentication via SMS.  When a user enters their information at the registration page, the password is then sent via SMS, using the cell phone number that the user entered in the registration page.  It is no different from emailing a user the guest password.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message