I try to depoloy the ClearPass with Cisco WLC, so that when user connect to the wifi, it will redirect to Clear Pass captive portal for authentication.
- Clear Pass IP address: 192.168.1.210/23
- Cisco WLC IP address: 192.168.0.56/23
- GW: 192.168.0.1/23
When connect to the wifi, and try to access google.com. it can redirect to the Clear Pass captive portal; however, after login successful, it does not redirect to google.com, it redirect to Cisco WLC IP address, and cannot browse website. When I try to access google.com again. it also redirect to Clear Pass captive portal again and again as a loop.
The setting for Cisco WLC and Clear Pass as attachment.
Thanks a lot for your help.
I DropBoxed a folder with importent info for u. (Link at the bottom of this post)
Please download - and read a bit
here is the link: (might contain duplicate docs - but importent and helpful info)
Let us know - if u figure where is your mis-configurtion.
have a gr8 day.
The document is for Aruba Wireless integrate with ClearPass, but on my scenario, it use Cisco Wireless Controller 2504 instead of Aruba Wireless Contoller. And on this part as attachment, I'm not sure which IP address I need to specify for the correct one, if I put ClearPass IP address, it will redirect to ClearPass welcome page after guest login sucessful, not rediect to google.com as I type on the web page. If I put Cisco WLC IP address, it cannot browse to any web page although guest login sucessful.
Please read here: (thoese are CCPM to CIsco docs)
You need to configure more things (not only Guest portal)
You might useful info,also here:
please help to resend the link :)
The access tracker logs is nothing display.
Can you tell me what service I need to configure for the cisco wlc authentication as attachment, because before I try the 802.1x Wireless service, but the error still same as I mention above. Now I'm using ClearPass Policy Manager 184.108.40.206730 version.
So the configuration as attachment is correct?
Now the version for CPPM is 220.127.116.11730, so what you mean need to upgrade to 6.2.4, is it downgrade or upgrade?
Many different solutions here and I'm sure you're just as confused as when you started.
These are two decent ways of implementing Guest access:
* Controller initiated - this is the most normal usecase and authentication is done by your client doing a http post towards the login.html of the Controller. Works on all Aruba WLC's and All Cisco WLC's except 3850/5760 using IOS XE
* Server initiated - this involves MAC-authentication and Radius CoA and is quite confusing to implement. The documents listed in previous post in regards of Wired Cisco is all about this, but they are not complete so try the first method before trying this. This method is a requirement for Cisco WLC using IOS XE (3850/5760).
Controller initated works more or less right out of the box with ClearPass when using Cisco 2504 WLC on 7.6.x
* Click Configuration - Start here
* Select the Guest Access template, go through and fill in the variables. Save..
Make sure this new template is above the old ones you've created.
Since you're using self-registration there is no need for a pre-auth (webauth) service, but with a normal web-login you have a Radius or Local pre-auth and need to create a service for this.
* Select the Guest Access Web Login template, go through and fill in the variables. Save..
* Move this template above the other Guest template just to keep things clean.
For the Cisco setup you should just google for "cisco wlc external web auth" and find the multiple guides that exist out there (not CWA as this use CoA and mac-auth). You can follow a guide using Cisco ISE
On the Cisco:
* Create your pre-auth ACL "web_auth" (Security - Access Controll Lists) more or less like this:
Define your AAA servers
* Security - RADIUS - Authentication
* Security - RADIUS - accounting
Create your WLAN and edit the SSID to your liking, selec the appropriate interface
Edit the NAS-ID to something - if you want to use that in the CPPM Service later
Try it out and let us know how it turns out.
Hi sdr35 and jsolb,
It can work already, the problem is I change the IP address from 18.104.22.168 to Cisco WLC IP address, so after it login successful, it not redirect to Internet.
Thank you so much for your help ^ ^
I face this issue, after user connect to the SSID, by default it will redirect to the ClearPass captive portal. However, it redirect to the Cisco WLC virtual IP address first (22.214.171.124), after user click Proceed Any Way on the Chrome browser, then it just can redirect to the ClearPass Captive Portal web page. After login sucessful, it prompt the WLC login sucessful web page for a while then disappear. So how can we configure to redirect to the ClearPass IP first, no more to go to Cisco WLC, and how we can configure the user logout page?
Thought you had this fixed?
So you're saying this is the current flow:
1. User connects to Guest-ssid
2. Tries to browse and is redirected to 126.96.36.199 (Cisco) and here gets a certificate error
3. User clicks continue, and is then redirected to CP on ClearPass
4. Logs in on ClearPass Captive Portal, is redirected to the login-page on WLC and stops there.
Try to do this using only http first - just to eliminate any https nasties that usually follows in the intial setup process.. I think that is why you see the error message on nr 2. You will need a valid SSL certificate installed on ClearPass that matches the FQDN you are redirected to, or just leave it to http.
-> Go to Guest / Configuration / Authentication - remove checkbox for "Require HTTPS for guest access"
On the WLC you will need to manually input the page you want to be redirected to after successful login. In the 7.x GUI you do this on the same place where you input the External redirect login page:
Security > Web Auth > Web Login Page
Change the "Redirect URL after login" to the page you want to redirect the users to by default. I don't know a way to let them get to their initial url on Cisco.
In this place you also define the logout page.
As refernce you could just find a guide that use Cisco ISA and Cisco WLC - and do normal webauth (not CWA/MAB). That should get you to where you need to be. The config on ClearPass seems to be correct on your part.
This might give you some more pointers on the WLC side of the configuration:
I've followed your instruction -> Go to Guest / Configuration / Authentication - remove checkbox for "Require HTTPS for guest access"; however, after I login successful from captive portal, it cannot redirect to any webpage. After change back, it come back as you mention before:
And, afetr log in on ClearPass Captive Portal, one LOGOUT webpage appear with IP address188.8.131.52, can we change this 184.108.40.206 IP address to hostname or don't make this webpage display?
It looks like 220.127.116.11 is OK for you to use in this scenario, you will have to change that if you change on the WLC. You can also use hostname/fqdn as long as this is resolvable from the client.
Is 192.168.0.56 the IP-adress the WLC will communicate Radius traffic from?
What you explain here is usually the case when the Radius authentication doesn't go through. Do you get anything in the Access Tracker? If yes - what do you get?
If you uncheck require HTTPS, you must also adjust the settings on the WLC.
You have to allow HTTP and set WebAuth SecureWeb to Disabled. See the attached screen shot. Config --> Management --> HTTP-HTTPS
For me it was a little bit difficult to set this up. I have written a PDF on this issue, and I hope it will help others, that ran into the issue using Cisco external web authentication alone with Aruba Clearpass.
Well written Bo - thanks for sharing!!
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.