I'm in a bit of a pickle with ArubaOS 8 + Clearpass for Guest auth. The problem is that after clicking login on a Clearpass guest page, the client receives a HTTP 302 with params ?errmsg=access denied, and in Clearpass we see failed mac auth, but never do we see a request for guest user auth.
I'll start with the facts. I have several dot1x networks, both EAP-TLS and EAP-PEAP which authenticate against Clearpass without issue. Clearpass is behaving as expected in that regard.
In my Mobility Master + 2 Controllers in a cluster setup, I have a wireless network, Guest, which is configured for Mac Auth. Once the user connects to the guest network, they receive the initial guest role as configured.
My Captive Portal is setup and the user is redirected to the captive portal upon logging into the network. Everything up until this point works well and as intended.
Now comes the problem: Once the user clicks login, they POST to the referring controller at /cgi-bin/login with form data like this:
The response the client receives is HTTP 302 (redirect) and the redirection location is: ?errmsg=Access denied
This ends up with being a bit of an endless loop and the client never authenticates and remains in the configured intial guest role.
If we take a look in Clearpass, we see the mac auth request which of course fails, but we never see the user auth request come in. This leads me to believe that there is some configuration error or a general error with the controller. As I understand it, the client will POST to the controller and the controller will then send a Radius request to Clearpass which in this case would be the user auth part of the guest service in Clearpass.
I'm hoping that there is a simple fix, something that I've simply overlooked because right now I am out of ideas and have lost track of how many settings I have changed and tested in an attempt to get this to work. If there is anyone out there who might be able to assist with the issue, I'd be ever so grateful.
LBH the 3rd
Do you have the ClearPass server (the one receiving the MAC Auth) configured as Radius authentication server in the Controller's captive portal profile?
Thank you for the reply. Always nice to know that I'm not alone in the networking world!The initial-role of the wireless network, let's call it first-role, has Clearpass configured in its Captive Portal tab. The correct captive portal profile is also referenced within the role's More -> Authentication -> Captive portal profile.
Below is where I have selected the server group of the actual captive portal profile.
One of the things I'm trying to work out is how the controller comes to the conclusion that access is to be denied if the user request is never making it to Clearpass. Given that mac auth gets to Clearpass and that the user receives the go away message, there must be a user auth request that goes somewhere or that has been misconfigured not to happen. Where or what that is, I've no idea.
I would like to say, of course I checked the event viewer, and honestly, I had checked the event viewer. The big but is that I had only checked the event viewer for clearpass-01 and not clearpass-02. And what was in the event viewer of 02? Lots and lots of radius mis-matching key errors! I was terribly excited to change that key and see my guest network working, but it was not to be.
After noticing the error, I really thought that the user auth was being balanced to clearpass-02, but after having updated the radius key, I still do not see the user auth request and I am still getting the HTTP 302 with access denied.
And to answer your question about the certificate, yes, I have changed the default certificate. My customer uses a wildcard certificate, *.my-domain.com, and in the Clearpass login page we use captiveportal-login.my-domain.com.
When the client performs that POST to the controller, we see an HTTPS URL with the correct certificate.
Thank you for your input and suggestions. When I saw the errors in the event log of clearpass-02, I thought: 'Victor, you've done it again!`. And to be fair, you certainly made me find an error. Thank you! Now I just need to find the error which is plaguing my guest network.
Apologies, that is information that I should have included earlier. This is running Aruba OS 8.5.10_76206. The two mobility masters and the two controllers are are all running the same software. The controllers are a pair of 7205 controllers.
I hope you have the "User Login:" enabled in the Captive Portal profile configuration.
You may open a TAC case to review your configuration and troubleshoot this further.
I wouldn't be seen dead without user login enabled. I've got a TAC case open and will fill in the blanks here.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.