Dear Herman
wow, feel honored that I get an answer from Herman itself ;)
Thanks for your reply. That was also my suggestion, but to be onest, there are no options to configure the pre-auth role nether it is placed in the cli config.
I tried following thing to find out what the pre-auth role is and got the finding, that the role "External CP" is applied.
SMjsAP01# show clients
Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
a402b9ec8d67 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC
External CP fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :319352
After authentication (on traditional way without google) I get the correct role.
SMjsAP01# show clients
Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
jonas.stalder@gmx.ch 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC
LCN_ROL_GST fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :319429
Therefore I would say that I need to configure the External CP role. But this role is not shown in config neither in cli
SMjsAP01# show run
version 8.6.0.0-8.6.0
virtual-controller-country CH
virtual-controller-key xxx
name NMjsAPv01
virtual-controller-ip 10.54.173.14
terminal-access
ntp-server 10.54.173.1
clock timezone Bern 01 00
rf-band all
dynamic-radius-proxy
allow-new-aps
allowed-ap 70:3a:0e:cb:d5:ee
arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning
client-match
rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40
rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off
syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless
extended-ssid
vlan-name INT_CLI
vlan-name EXT_GUEST
vlan INT_CLI 200
vlan EXT_GUEST 300
user user1 xxx portal
user user2 xxx portal
hash-mgmt-password
hash-mgmt-user admin password hash xxx
wlan access-rule CF_Corp
index 0
rule any any match any any any permit
wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit
wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit
wlan access-rule CF_Guest
index 3
rule any any match any any any permit
wlan access-rule CF_BYOD
index 4
rule any any match any any any permit
wlan access-rule R_Byod
index 5
rule any any match any any any permit
wlan access-rule LCN_ROL_GST
index 6
rule apip 0.0.0.0 match any any any permit
rule masterip 0.0.0.0 match any any any permit
rule 10.54.172.1 255.255.255.255 match any any any permit
rule 10.54.172.0 255.255.255.128 match any any any deny
rule any any match any any any permit
wlan access-rule CF_CorpGuest
index 7
rule any any match any any any permit
wlan ssid-profile CF_Corp
enable
index 0
type employee
essid CF_Corp
opmode wpa2-aes
max-authentication-failures 0
vlan 200
auth-server LCNNAC1
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11k
dot11v
wlan ssid-profile CF_Guest
enable
index 1
type guest
essid CF_Guest
opmode opensystem
max-authentication-failures 0
vlan 300
auth-server LCNNAC1
rf-band all
captive-portal external profile LCN_CF-GP
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 480
radius-accounting
radius-interim-accounting-interval 3
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
wlan ssid-profile CF_BYOD
enable
index 2
type employee
essid CF_BYOD
opmode opensystem
max-authentication-failures 0
vlan 302
auth-server LCNNAC1
rf-band all
captive-portal disable
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 120
radius-accounting
radius-interim-accounting-interval 2
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11k
dot11v
download-role
wlan ssid-profile CF_CorpGuest
enable
index 3
type guest
essid CF_CorpGuest
opmode opensystem
max-authentication-failures 0
vlan 300
auth-server LCNNAC1
rf-band all
captive-portal external profile LCN-CF-CorpGuest
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 480
radius-accounting
radius-interim-accounting-interval 3
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
auth-survivability cache-time-out 24
wlan auth-server LCNNAC1
ip nac1.leuchter-cloud.ch
port 1812
acctport 1813
key 1b64c4b377f8320aaa24f74a5ea0f62afdbdffb83890131a
nas-id NMjsAP01
rfc5997
rfc3576
cppm-rfc3576-port 5999
service-type-framed-user 1x
service-type-framed-user mac
wlan captive-portal
background-color 16777215
banner-color 16750848
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure, and use is at your own risk"
use-policy "Please read terms and conditions before using Guest Network"
authenticated
wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https
wlan external-captive-portal LCN_CF-GP
server nac-guestportal.leuchter-cloud.ch
port 443
url "/guest/LCN-CF-GSP-SelfReg.php"
auth-text ""
redirect-url "https://www.leuchterag.ch"
auto-whitelist-disable
https
switch-ip
wlan external-captive-portal LCN-CF-CorpGuest
server nac-guestportal.leuchter-cloud.ch
port 443
url "/guest/LCN-CF-GSP-Sponsoring.php"
auth-text ""
redirect-url "https://www.leuchterag.ch"
auto-whitelist-disable
https
switch-ip
blacklist-time 3600
auth-failure-blacklist-time 3600
ids
wireless-containment none
wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x
wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x
enet0-port-profile default_wired_port_profile
uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180
airgroup
disable
airgroupservice airplay
disable
description AirPlay
airgroupservice airprint
disable
description AirPrint
cluster-security
allow-low-assurance-devices
------------------------------
Jonas Stalder
------------------------------
Original Message:
Sent: Jan 04, 2022 10:11 AM
From: Herman Robers
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate
Make sure that you allow traffic to accounts.google.com (and other sites that are needed for the login) in your pre-authentication role. Or set up the pre-authentication role if you haven't yet.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jan 03, 2022 08:34 AM
From: Jonas Stalder
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate
Dear Guys
I try to create a guest portal on which the guests can register them self with a google identity (or later others like linked in...).
The setup is:
- IAP with guest network
- Authentication with external captive portal (Clearpass)
- Social Media Authentication with google+
Other services like guest sponsoring and self reg. works (on other configured networks). But google+ auth does not, because as soon as i click the button, I would get redirected to google OAUTH (as expected). but the controller intercepts the traffic to accounts.google.com/oauth/.... with the IAPs portal certificate (please see printscrren). Is there a way to disable this for the needed destination?
Many thanks for your help in advance, sincerely jonas
------------------------------
Jonas Stalder
------------------------------