Matthias,
It's really hard to see what is going wrong. It may be best to work with your partner or Aruba support to troubleshoot the steps.
How the steps should work for ArubaOS wired external captive portal/service initiated workflow:
- Client enters the network, a MAC authentication goes to ClearPass and ClearPass returns a role/attributes to redirect the client to the ClearPass captive portal
- Client redirects to ClearPass captive portal
- User registers/signs in
- ClearPass authenticates the user (webauth), updates endpoint database, triggers CoA port bounce
- Client is disconnected, and reconnected, switch will send another MAC authentication.
- ClearPass will return normal access role based on cached roles or endpoint database attributes.
There should be no certificate warnings anywhere in this process, and the switch does not need a certificate. Just ClearPass needs trusted certificates.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 19, 2021 01:22 PM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
Hi Sandeep,
I don´t see a CoA tob on the first MAC auth request. If I disconnect and connect back, i´m redirected to the portal page.
I tried to trigger a CoA from the AccessTracker, but it fails (no response from device). I´ve checked the firewall and I see port 3799 (Radius Dynauth) is blocked (source CPPM destination: Switch). I´ll have to check with the firewall team, I have only read-only access to the firewall...
------------------------------
Matthias Pohl
Original Message:
Sent: Sep 19, 2021 10:23 AM
From: Sandeep Yadav
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
Hi Matthias,
Alright so the only pending part is the CoA, do you see a CoA tab on the First MAC Auth Request? and is it successful or failed?
Also, even if the CoA is failing, if you disconnect and connect back into the network do you have full access to the network or it still redirects back to the portal page?
For the CoA test, you could open the MAC Auth request on Access Tracker and try triggering CoA from there.
------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP
Original Message:
Sent: Sep 18, 2021 02:05 PM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
Hi Sandeep,
first I see the MACAuth on Access Tracker (Username=MAC). Then I get redirected to the GuestRegistration page. Then I move to the Sign In Page (I´ve already registered a new account). I enter user and password and see a WebAuth on AccessTracker (Username=eMail), but then I get redirected to the GuestRegistration Page.
I tried to adopt the Wired Policy Guide to me needs...
Kind regards
Matthias
------------------------------
Matthias Pohl
Original Message:
Sent: Sep 17, 2021 02:42 PM
From: Sandeep Yadav
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
Hi Matthias,
As you are working with CP, I assume you have already change the vendor setting to "Server Initiated" under the Guest Registration page.
And CoA is already set up along with a WebAuth + MAC Auth service.
If the above is done, do you see a WebAuth request on Access Tracker when you log in? If you do see it then are we getting a successful CoA ( we should see one more MAC auth after WebAuth ) which will change the role to post else you would be redirected back to the login page.
Here either you could refer to the Wired Policy Guide (https://support.hpe.com/hpesc/public/docDisplay?docId=a00091135en_us) or you could raise a TAC case to review the config
------------------------------
SANDEEP YADAV
Global Escalation Center, ACCP | Aruba Software
Original Message:
Sent: Sep 17, 2021 07:47 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
Hi Herman,
I´ve used the wrong CPPM IP. Changing the IP to the DataPort-IP, the redirection to the Selfregistration-Page works fine.
But now I stuck at the next problem. I was able to register a new guest account, but when I try to login with my guest account, I get redirected to the selfregistration page again...
------------------------------
Matthias Pohl
Original Message:
Sent: Sep 03, 2021 10:46 AM
From: Herman Robers
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
Did you create a rule to allow traffic to ClearPass through your captive portal? From what you describe, it may be that the client is redirected when it tries to go to ClearPass as well.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 03, 2021 10:19 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
Hi Herman,
I´ve tested with an Aruba 2530 and an Aruba 2540.
The client is redirect to the Selfregistration page, but the page isn´t loaded. Just showing (in the browser):
Connect to a network
The network you´re using may require you to go to its sign-in page.
I will check the videos for AOS switch
------------------------------
Matthias Pohl
Original Message:
Sent: Sep 03, 2021 09:44 AM
From: Herman Robers
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
What type of switch?
Can you connect to the ClearPass when the switch is showing the captive portal (ClearPass should be exempted from redirection)?
What is showing that message? Can you see a URL? Can you reach that URL manually?
Maybe easiest to find someone to have a look together in the live environment. There are some wired guest videos on the Airheads Broadcasting Channel for AOS Switch and AOS CX as well.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 03, 2021 06:53 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
Okay, I missed to install the certificate on the switch.
But now I stuck at:
Connect to a network
The network you´re using may require you to go to its sign-in page.
------------------------------
Matthias Pohl
Original Message:
Sent: Sep 03, 2021 03:39 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired SSL_PROTOCOL_ERROR
Hi everybody,
I´m trying to implement a guest access captive portal redirect. I´ve setup everything on my switch and in clearpass. The redirect is working, but the captive portal page fails to load with: ERR_SSL_PROTOCOL_ERROR
I´ve already impelemented captive portal for wireless and there everything is working fine.
I´ve duplicated the self registration page, which is use for wireless, changed "Name" and "Register Page". Am I missing something?
------------------------------
Matthias Pohl
------------------------------