Security

Hi everybody,

I try to configure captive-portal on our Aruba2530 and in ClearPass.

This is the profile i configured in ClearPass:


When I connect my PC to the switch I can see that the login is accepted in ClearPass, but no VLAN is assigned and the Captive-Portal-URL isn´t assigned. The termination cause says: NAS Error.


If i remove the HPE-Captive-Portal-URL from the profile, the login is accepted and the VLAN is assigned correctly.
Any hints?

------------------------------
Matthias Pohl
------------------------------

You need to add filters for dns, dhcp and web traffic to be able to start captive portal. Something like this:

1.	Radius:Hewlett-Packard-Enterprise	HPE-Captive-Portal-URL	=	http://your-clearpass/guest/your-page.php
2.	Radius:IETF	NAS-Filter-Rule	=	permit in tcp from any to <clearpass-ip> 80
3.	Radius:IETF	NAS-Filter-Rule	=	permit in tcp from any to <clearpass-ip> 443
4.	Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 80 cpy
5.	Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 443 cpy
6.	Radius:IETF	NAS-Filter-Rule	=	permit in udp from any to any 53
7.	Radius:IETF	NAS-Filter-Rule	=	permit in udp from any to any 67
8.	Radius:Hewlett-Packard-Enterprise	HPE-Egress-VLAN-Name	=	2VLAN401

------------------------------
Gorazd Kikelj
------------------------------

Original Message:
Sent: Jun 18, 2021 06:19 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired not working

Hi everybody,

I try to configure captive-portal on our Aruba2530 and in ClearPass.

This is the profile i configured in ClearPass:


When I connect my PC to the switch I can see that the login is accepted in ClearPass, but no VLAN is assigned and the Captive-Portal-URL isn´t assigned. The termination cause says: NAS Error.


If i remove the HPE-Captive-Portal-URL from the profile, the login is accepted and the VLAN is assigned correctly.
Any hints?

------------------------------
Matthias Pohl
------------------------------

Thx for your reply. Working fine now.

------------------------------
Matthias Pohl
------------------------------

Original Message:
Sent: Jun 19, 2021 05:43 AM
From: Gorazd Kikelj
Subject: ClearPass Captive Portal Wired not working

You need to add filters for dns, dhcp and web traffic to be able to start captive portal. Something like this:

1.	Radius:Hewlett-Packard-Enterprise	HPE-Captive-Portal-URL	=	http://your-clearpass/guest/your-page.php
2.	Radius:IETF	NAS-Filter-Rule	=	permit in tcp from any to <clearpass-ip> 80
3.	Radius:IETF	NAS-Filter-Rule	=	permit in tcp from any to <clearpass-ip> 443
4.	Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 80 cpy
5.	Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 443 cpy
6.	Radius:IETF	NAS-Filter-Rule	=	permit in udp from any to any 53
7.	Radius:IETF	NAS-Filter-Rule	=	permit in udp from any to any 67
8.	Radius:Hewlett-Packard-Enterprise	HPE-Egress-VLAN-Name	=	2VLAN401

------------------------------
Gorazd Kikelj

Original Message:
Sent: Jun 18, 2021 06:19 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired not working

Hi everybody,

I try to configure captive-portal on our Aruba2530 and in ClearPass.

This is the profile i configured in ClearPass:


When I connect my PC to the switch I can see that the login is accepted in ClearPass, but no VLAN is assigned and the Captive-Portal-URL isn´t assigned. The termination cause says: NAS Error.


If i remove the HPE-Captive-Portal-URL from the profile, the login is accepted and the VLAN is assigned correctly.
Any hints?

------------------------------
Matthias Pohl
------------------------------

Dear MatthiasP,

Can you give me some documentation on this?

------------------------------
tam nguyen duc
------------------------------

Original Message:
Sent: Jun 22, 2021 03:32 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired not working

Thx for your reply. Working fine now.

------------------------------
Matthias Pohl

Original Message:
Sent: Jun 19, 2021 05:43 AM
From: Gorazd Kikelj
Subject: ClearPass Captive Portal Wired not working

You need to add filters for dns, dhcp and web traffic to be able to start captive portal. Something like this:

1.	Radius:Hewlett-Packard-Enterprise	HPE-Captive-Portal-URL	=	http://your-clearpass/guest/your-page.php
2.	Radius:IETF	NAS-Filter-Rule	=	permit in tcp from any to <clearpass-ip> 80
3.	Radius:IETF	NAS-Filter-Rule	=	permit in tcp from any to <clearpass-ip> 443
4.	Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 80 cpy
5.	Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 443 cpy
6.	Radius:IETF	NAS-Filter-Rule	=	permit in udp from any to any 53
7.	Radius:IETF	NAS-Filter-Rule	=	permit in udp from any to any 67
8.	Radius:Hewlett-Packard-Enterprise	HPE-Egress-VLAN-Name	=	2VLAN401

------------------------------
Gorazd Kikelj

Original Message:
Sent: Jun 18, 2021 06:19 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired not working

Hi everybody,

I try to configure captive-portal on our Aruba2530 and in ClearPass.

This is the profile i configured in ClearPass:


When I connect my PC to the switch I can see that the login is accepted in ClearPass, but no VLAN is assigned and the Captive-Portal-URL isn´t assigned. The termination cause says: NAS Error.


If i remove the HPE-Captive-Portal-URL from the profile, the login is accepted and the VLAN is assigned correctly.
Any hints?

------------------------------
Matthias Pohl
------------------------------

Hi,
I´ve justed filled in the attributes Gorazd mentioned:


------------------------------
Matthias Pohl
------------------------------

Original Message:
Sent: Jul 06, 2021 11:46 PM
From: tam nguyen duc
Subject: ClearPass Captive Portal Wired not working

Dear MatthiasP,

Can you give me some documentation on this?

------------------------------
tam nguyen duc

Original Message:
Sent: Jun 22, 2021 03:32 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired not working

Thx for your reply. Working fine now.

------------------------------
Matthias Pohl

Original Message:
Sent: Jun 19, 2021 05:43 AM
From: Gorazd Kikelj
Subject: ClearPass Captive Portal Wired not working

You need to add filters for dns, dhcp and web traffic to be able to start captive portal. Something like this:

1.	Radius:Hewlett-Packard-Enterprise	HPE-Captive-Portal-URL	=	http://your-clearpass/guest/your-page.php
2.	Radius:IETF	NAS-Filter-Rule	=	permit in tcp from any to <clearpass-ip> 80
3.	Radius:IETF	NAS-Filter-Rule	=	permit in tcp from any to <clearpass-ip> 443
4.	Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 80 cpy
5.	Radius:IETF	NAS-Filter-Rule	=	deny in tcp from any to any 443 cpy
6.	Radius:IETF	NAS-Filter-Rule	=	permit in udp from any to any 53
7.	Radius:IETF	NAS-Filter-Rule	=	permit in udp from any to any 67
8.	Radius:Hewlett-Packard-Enterprise	HPE-Egress-VLAN-Name	=	2VLAN401

------------------------------
Gorazd Kikelj

Original Message:
Sent: Jun 18, 2021 06:19 AM
From: Matthias Pohl
Subject: ClearPass Captive Portal Wired not working

Hi everybody,

I try to configure captive-portal on our Aruba2530 and in ClearPass.

This is the profile i configured in ClearPass:


When I connect my PC to the switch I can see that the login is accepted in ClearPass, but no VLAN is assigned and the Captive-Portal-URL isn´t assigned. The termination cause says: NAS Error.


If i remove the HPE-Captive-Portal-URL from the profile, the login is accepted and the VLAN is assigned correctly.
Any hints?

------------------------------
Matthias Pohl
------------------------------