Wireless Access

Dear Guys

I try to create a guest portal on which the guests can register them self with a google identity (or later others like linked in...).

The setup is:
- IAP with guest network
- Authentication with external captive portal (Clearpass)
- Social Media Authentication with google+

Other services like guest sponsoring and self reg. works (on other configured networks). But google+ auth does not, because as soon as i click the button, I would get redirected to google OAUTH (as expected). but the controller intercepts the traffic to accounts.google.com/oauth/.... with the IAPs portal certificate (please see printscrren). Is there a way to disable this for the needed destination?

Many thanks for your help in advance, sincerely jonas

------------------------------
Jonas Stalder
------------------------------

Make sure that you allow traffic to accounts.google.com (and other sites that are needed for the login) in your pre-authentication role. Or set up the pre-authentication role if you haven't yet.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 03, 2022 08:34 AM
From: Jonas Stalder
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Dear Guys

I try to create a guest portal on which the guests can register them self with a google identity (or later others like linked in...).

The setup is:
- IAP with guest network
- Authentication with external captive portal (Clearpass)
- Social Media Authentication with google+

Other services like guest sponsoring and self reg. works (on other configured networks). But google+ auth does not, because as soon as i click the button, I would get redirected to google OAUTH (as expected). but the controller intercepts the traffic to accounts.google.com/oauth/.... with the IAPs portal certificate (please see printscrren). Is there a way to disable this for the needed destination?

Many thanks for your help in advance, sincerely jonas

------------------------------
Jonas Stalder
------------------------------

Dear Herman

wow, feel honored that I get an answer from Herman itself ;)

Thanks for your reply. That was also my suggestion, but to be onest, there are no options to configure the pre-auth role nether it is placed in the cli config.

I tried following thing to find out what the pre-auth role is and got the finding, that the role "External CP" is applied.

SMjsAP01# show clients

Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
a402b9ec8d67 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC External CP fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :319352

After authentication (on traditional way without google) I get the correct role.

SMjsAP01# show clients

Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
jonas.stalder@gmx.ch 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC LCN_ROL_GST fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :319429

Therefore I would say that I need to configure the External CP role. But this role is not shown in config neither in cli



SMjsAP01# show run
version 8.6.0.0-8.6.0
virtual-controller-country CH
virtual-controller-key xxx
name NMjsAPv01
virtual-controller-ip 10.54.173.14
terminal-access
ntp-server 10.54.173.1
clock timezone Bern 01 00
rf-band all
dynamic-radius-proxy

allow-new-aps

allowed-ap 70:3a:0e:cb:d5:ee



arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning
client-match

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless



extended-ssid



vlan-name INT_CLI
vlan-name EXT_GUEST
vlan INT_CLI 200
vlan EXT_GUEST 300










user user1 xxx portal
user user2 xxx portal




hash-mgmt-password
hash-mgmt-user admin password hash xxx



wlan access-rule CF_Corp
index 0
rule any any match any any any permit

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule CF_Guest
index 3
rule any any match any any any permit

wlan access-rule CF_BYOD
index 4
rule any any match any any any permit

wlan access-rule R_Byod
index 5
rule any any match any any any permit

wlan access-rule LCN_ROL_GST
index 6
rule apip 0.0.0.0 match any any any permit
rule masterip 0.0.0.0 match any any any permit
rule 10.54.172.1 255.255.255.255 match any any any permit
rule 10.54.172.0 255.255.255.128 match any any any deny
rule any any match any any any permit

wlan access-rule CF_CorpGuest
index 7
rule any any match any any any permit

wlan ssid-profile CF_Corp
enable
index 0
type employee
essid CF_Corp
opmode wpa2-aes
max-authentication-failures 0
vlan 200
auth-server LCNNAC1
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11k
dot11v

wlan ssid-profile CF_Guest
enable
index 1
type guest
essid CF_Guest
opmode opensystem
max-authentication-failures 0
vlan 300
auth-server LCNNAC1
rf-band all
captive-portal external profile LCN_CF-GP
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 480
radius-accounting
radius-interim-accounting-interval 3
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile CF_BYOD
enable
index 2
type employee
essid CF_BYOD
opmode opensystem
max-authentication-failures 0
vlan 302
auth-server LCNNAC1
rf-band all
captive-portal disable
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 120
radius-accounting
radius-interim-accounting-interval 2
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11k
dot11v
download-role

wlan ssid-profile CF_CorpGuest
enable
index 3
type guest
essid CF_CorpGuest
opmode opensystem
max-authentication-failures 0
vlan 300
auth-server LCNNAC1
rf-band all
captive-portal external profile LCN-CF-CorpGuest
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 480
radius-accounting
radius-interim-accounting-interval 3
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan auth-server LCNNAC1
ip nac1.leuchter-cloud.ch
port 1812
acctport 1813
key 1b64c4b377f8320aaa24f74a5ea0f62afdbdffb83890131a
nas-id NMjsAP01
rfc5997
rfc3576
cppm-rfc3576-port 5999
service-type-framed-user 1x
service-type-framed-user mac

wlan captive-portal
background-color 16777215
banner-color 16750848
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure, and use is at your own risk"
use-policy "Please read terms and conditions before using Guest Network"
authenticated

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

wlan external-captive-portal LCN_CF-GP
server nac-guestportal.leuchter-cloud.ch
port 443
url "/guest/LCN-CF-GSP-SelfReg.php"
auth-text ""
redirect-url "https://www.leuchterag.ch"
auto-whitelist-disable
https
switch-ip

wlan external-captive-portal LCN-CF-CorpGuest
server nac-guestportal.leuchter-cloud.ch
port 443
url "/guest/LCN-CF-GSP-Sponsoring.php"
auth-text ""
redirect-url "https://www.leuchterag.ch"
auto-whitelist-disable
https
switch-ip


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none


wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180



airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint





cluster-security
allow-low-assurance-devices


------------------------------
Jonas Stalder
------------------------------

Original Message:
Sent: Jan 04, 2022 10:11 AM
From: Herman Robers
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Make sure that you allow traffic to accounts.google.com (and other sites that are needed for the login) in your pre-authentication role. Or set up the pre-authentication role if you haven't yet.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 03, 2022 08:34 AM
From: Jonas Stalder
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Dear Guys

I try to create a guest portal on which the guests can register them self with a google identity (or later others like linked in...).

The setup is:
- IAP with guest network
- Authentication with external captive portal (Clearpass)
- Social Media Authentication with google+

Other services like guest sponsoring and self reg. works (on other configured networks). But google+ auth does not, because as soon as i click the button, I would get redirected to google OAUTH (as expected). but the controller intercepts the traffic to accounts.google.com/oauth/.... with the IAPs portal certificate (please see printscrren). Is there a way to disable this for the needed destination?

Many thanks for your help in advance, sincerely jonas

------------------------------
Jonas Stalder
------------------------------

... just to say, the profil and SSID I try for googleauth is CF_CorpGuest (not CF_Guest) like in the printscreen. It was just to show the role attached, sorry (bellow the show client with the correct ssid. the auth profile stays the same External CP)

SMjsAP01# show clients

Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 6(poor)
a402b9ec8d67 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_CorpGuest SMjsAP01 116E AC External CP fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :320182

------------------------------
Jonas Stalder
------------------------------

Original Message:
Sent: Jan 05, 2022 04:35 AM
From: Jonas Stalder
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Dear Herman

wow, feel honored that I get an answer from Herman itself ;)

Thanks for your reply. That was also my suggestion, but to be onest, there are no options to configure the pre-auth role nether it is placed in the cli config.

I tried following thing to find out what the pre-auth role is and got the finding, that the role "External CP" is applied.

SMjsAP01# show clients

Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
a402b9ec8d67 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC External CP fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :319352

After authentication (on traditional way without google) I get the correct role.

SMjsAP01# show clients

Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
jonas.stalder@gmx.ch 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC LCN_ROL_GST fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :319429

Therefore I would say that I need to configure the External CP role. But this role is not shown in config neither in cli



SMjsAP01# show run
version 8.6.0.0-8.6.0
virtual-controller-country CH
virtual-controller-key xxx
name NMjsAPv01
virtual-controller-ip 10.54.173.14
terminal-access
ntp-server 10.54.173.1
clock timezone Bern 01 00
rf-band all
dynamic-radius-proxy

allow-new-aps

allowed-ap 70:3a:0e:cb:d5:ee



arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning
client-match

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless



extended-ssid



vlan-name INT_CLI
vlan-name EXT_GUEST
vlan INT_CLI 200
vlan EXT_GUEST 300










user user1 xxx portal
user user2 xxx portal




hash-mgmt-password
hash-mgmt-user admin password hash xxx



wlan access-rule CF_Corp
index 0
rule any any match any any any permit

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule CF_Guest
index 3
rule any any match any any any permit

wlan access-rule CF_BYOD
index 4
rule any any match any any any permit

wlan access-rule R_Byod
index 5
rule any any match any any any permit

wlan access-rule LCN_ROL_GST
index 6
rule apip 0.0.0.0 match any any any permit
rule masterip 0.0.0.0 match any any any permit
rule 10.54.172.1 255.255.255.255 match any any any permit
rule 10.54.172.0 255.255.255.128 match any any any deny
rule any any match any any any permit

wlan access-rule CF_CorpGuest
index 7
rule any any match any any any permit

wlan ssid-profile CF_Corp
enable
index 0
type employee
essid CF_Corp
opmode wpa2-aes
max-authentication-failures 0
vlan 200
auth-server LCNNAC1
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11k
dot11v

wlan ssid-profile CF_Guest
enable
index 1
type guest
essid CF_Guest
opmode opensystem
max-authentication-failures 0
vlan 300
auth-server LCNNAC1
rf-band all
captive-portal external profile LCN_CF-GP
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 480
radius-accounting
radius-interim-accounting-interval 3
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile CF_BYOD
enable
index 2
type employee
essid CF_BYOD
opmode opensystem
max-authentication-failures 0
vlan 302
auth-server LCNNAC1
rf-band all
captive-portal disable
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 120
radius-accounting
radius-interim-accounting-interval 2
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11k
dot11v
download-role

wlan ssid-profile CF_CorpGuest
enable
index 3
type guest
essid CF_CorpGuest
opmode opensystem
max-authentication-failures 0
vlan 300
auth-server LCNNAC1
rf-band all
captive-portal external profile LCN-CF-CorpGuest
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 480
radius-accounting
radius-interim-accounting-interval 3
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan auth-server LCNNAC1
ip nac1.leuchter-cloud.ch
port 1812
acctport 1813
key 1b64c4b377f8320aaa24f74a5ea0f62afdbdffb83890131a
nas-id NMjsAP01
rfc5997
rfc3576
cppm-rfc3576-port 5999
service-type-framed-user 1x
service-type-framed-user mac

wlan captive-portal
background-color 16777215
banner-color 16750848
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure, and use is at your own risk"
use-policy "Please read terms and conditions before using Guest Network"
authenticated

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

wlan external-captive-portal LCN_CF-GP
server nac-guestportal.leuchter-cloud.ch
port 443
url "/guest/LCN-CF-GSP-SelfReg.php"
auth-text ""
redirect-url "https://www.leuchterag.ch"
auto-whitelist-disable
https
switch-ip

wlan external-captive-portal LCN-CF-CorpGuest
server nac-guestportal.leuchter-cloud.ch
port 443
url "/guest/LCN-CF-GSP-Sponsoring.php"
auth-text ""
redirect-url "https://www.leuchterag.ch"
auto-whitelist-disable
https
switch-ip


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none


wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180



airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint





cluster-security
allow-low-assurance-devices


------------------------------
Jonas Stalder

Original Message:
Sent: Jan 04, 2022 10:11 AM
From: Herman Robers
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Make sure that you allow traffic to accounts.google.com (and other sites that are needed for the login) in your pre-authentication role. Or set up the pre-authentication role if you haven't yet.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 03, 2022 08:34 AM
From: Jonas Stalder
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Dear Guys

I try to create a guest portal on which the guests can register them self with a google identity (or later others like linked in...).

The setup is:
- IAP with guest network
- Authentication with external captive portal (Clearpass)
- Social Media Authentication with google+

Other services like guest sponsoring and self reg. works (on other configured networks). But google+ auth does not, because as soon as i click the button, I would get redirected to google OAUTH (as expected). but the controller intercepts the traffic to accounts.google.com/oauth/.... with the IAPs portal certificate (please see printscrren). Is there a way to disable this for the needed destination?

Many thanks for your help in advance, sincerely jonas

------------------------------
Jonas Stalder
------------------------------

Jonas,

You can assign the pre-auth role if you select (external) captive portal and then in the Access step:


------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 05, 2022 04:44 AM
From: Jonas Stalder
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

... just to say, the profil and SSID I try for googleauth is CF_CorpGuest (not CF_Guest) like in the printscreen. It was just to show the role attached, sorry (bellow the show client with the correct ssid. the auth profile stays the same External CP)

SMjsAP01# show clients

Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 6(poor)
a402b9ec8d67 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_CorpGuest SMjsAP01 116E AC External CP fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :320182

------------------------------
Jonas Stalder

Original Message:
Sent: Jan 05, 2022 04:35 AM
From: Jonas Stalder
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Dear Herman

wow, feel honored that I get an answer from Herman itself ;)

Thanks for your reply. That was also my suggestion, but to be onest, there are no options to configure the pre-auth role nether it is placed in the cli config.

I tried following thing to find out what the pre-auth role is and got the finding, that the role "External CP" is applied.

SMjsAP01# show clients

Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
a402b9ec8d67 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC External CP fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :319352

After authentication (on traditional way without google) I get the correct role.

SMjsAP01# show clients

Client List
-----------
Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
jonas.stalder@gmx.ch 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC LCN_ROL_GST fe80::511e:52c2:d856:32a6 76(good) 866(good)
Number of Clients :2
Info timestamp :319429

Therefore I would say that I need to configure the External CP role. But this role is not shown in config neither in cli



SMjsAP01# show run
version 8.6.0.0-8.6.0
virtual-controller-country CH
virtual-controller-key xxx
name NMjsAPv01
virtual-controller-ip 10.54.173.14
terminal-access
ntp-server 10.54.173.1
clock timezone Bern 01 00
rf-band all
dynamic-radius-proxy

allow-new-aps

allowed-ap 70:3a:0e:cb:d5:ee



arm
wide-bands 5ghz
80mhz-support
min-tx-power 9
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode default-access
channel-quality-aware-arm-disable
client-aware
scanning
client-match

rf dot11g-radio-profile
max-distance 0
max-tx-power 9
min-tx-power 6
disable-arm-wids-functions off
free-channel-index 40

rf dot11a-radio-profile
max-distance 0
max-tx-power 18
min-tx-power 12
disable-arm-wids-functions off


syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless



extended-ssid



vlan-name INT_CLI
vlan-name EXT_GUEST
vlan INT_CLI 200
vlan EXT_GUEST 300










user user1 xxx portal
user user2 xxx portal




hash-mgmt-password
hash-mgmt-user admin password hash xxx



wlan access-rule CF_Corp
index 0
rule any any match any any any permit

wlan access-rule default_wired_port_profile
index 1
rule any any match any any any permit

wlan access-rule wired-SetMeUp
index 2
rule masterip 0.0.0.0 match tcp 80 80 permit
rule masterip 0.0.0.0 match tcp 4343 4343 permit
rule any any match udp 67 68 permit
rule any any match udp 53 53 permit

wlan access-rule CF_Guest
index 3
rule any any match any any any permit

wlan access-rule CF_BYOD
index 4
rule any any match any any any permit

wlan access-rule R_Byod
index 5
rule any any match any any any permit

wlan access-rule LCN_ROL_GST
index 6
rule apip 0.0.0.0 match any any any permit
rule masterip 0.0.0.0 match any any any permit
rule 10.54.172.1 255.255.255.255 match any any any permit
rule 10.54.172.0 255.255.255.128 match any any any deny
rule any any match any any any permit

wlan access-rule CF_CorpGuest
index 7
rule any any match any any any permit

wlan ssid-profile CF_Corp
enable
index 0
type employee
essid CF_Corp
opmode wpa2-aes
max-authentication-failures 0
vlan 200
auth-server LCNNAC1
rf-band all
captive-portal disable
dtim-period 1
broadcast-filter arp
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11k
dot11v

wlan ssid-profile CF_Guest
enable
index 1
type guest
essid CF_Guest
opmode opensystem
max-authentication-failures 0
vlan 300
auth-server LCNNAC1
rf-band all
captive-portal external profile LCN_CF-GP
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 480
radius-accounting
radius-interim-accounting-interval 3
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

wlan ssid-profile CF_BYOD
enable
index 2
type employee
essid CF_BYOD
opmode opensystem
max-authentication-failures 0
vlan 302
auth-server LCNNAC1
rf-band all
captive-portal disable
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 120
radius-accounting
radius-interim-accounting-interval 2
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64
dot11k
dot11v
download-role

wlan ssid-profile CF_CorpGuest
enable
index 3
type guest
essid CF_CorpGuest
opmode opensystem
max-authentication-failures 0
vlan 300
auth-server LCNNAC1
rf-band all
captive-portal external profile LCN-CF-CorpGuest
mac-authentication
dtim-period 1
broadcast-filter arp
radius-reauth-interval 480
radius-accounting
radius-interim-accounting-interval 3
dmo-channel-utilization-threshold 90
local-probe-req-thresh 0
max-clients-threshold 64

auth-survivability cache-time-out 24



wlan auth-server LCNNAC1
ip nac1.leuchter-cloud.ch
port 1812
acctport 1813
key 1b64c4b377f8320aaa24f74a5ea0f62afdbdffb83890131a
nas-id NMjsAP01
rfc5997
rfc3576
cppm-rfc3576-port 5999
service-type-framed-user 1x
service-type-framed-user mac

wlan captive-portal
background-color 16777215
banner-color 16750848
banner-text "Welcome to Guest Network"
terms-of-use "This network is not secure, and use is at your own risk"
use-policy "Please read terms and conditions before using Guest Network"
authenticated

wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
auto-whitelist-disable
https

wlan external-captive-portal LCN_CF-GP
server nac-guestportal.leuchter-cloud.ch
port 443
url "/guest/LCN-CF-GSP-SelfReg.php"
auth-text ""
redirect-url "https://www.leuchterag.ch"
auto-whitelist-disable
https
switch-ip

wlan external-captive-portal LCN-CF-CorpGuest
server nac-guestportal.leuchter-cloud.ch
port 443
url "/guest/LCN-CF-GSP-Sponsoring.php"
auth-text ""
redirect-url "https://www.leuchterag.ch"
auto-whitelist-disable
https
switch-ip


blacklist-time 3600
auth-failure-blacklist-time 3600


ids
wireless-containment none


wired-port-profile wired-SetMeUp
switchport-mode access
allowed-vlan all
native-vlan guest
no shutdown
access-rule-name wired-SetMeUp
speed auto
duplex auto
no poe
type guest
captive-portal disable
no dot1x

wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan all
native-vlan 1
shutdown
access-rule-name default_wired_port_profile
speed auto
duplex full
no poe
type employee
captive-portal disable
no dot1x


enet0-port-profile default_wired_port_profile

uplink
preemption
enforce none
failover-internet-pkt-lost-cnt 10
failover-internet-pkt-send-freq 30
failover-vpn-timeout 180



airgroup
disable

airgroupservice airplay
disable
description AirPlay

airgroupservice airprint
disable
description AirPrint





cluster-security
allow-low-assurance-devices


------------------------------
Jonas Stalder

Original Message:
Sent: Jan 04, 2022 10:11 AM
From: Herman Robers
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Make sure that you allow traffic to accounts.google.com (and other sites that are needed for the login) in your pre-authentication role. Or set up the pre-authentication role if you haven't yet.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 03, 2022 08:34 AM
From: Jonas Stalder
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Dear Guys

I try to create a guest portal on which the guests can register them self with a google identity (or later others like linked in...).

The setup is:
- IAP with guest network
- Authentication with external captive portal (Clearpass)
- Social Media Authentication with google+

Other services like guest sponsoring and self reg. works (on other configured networks). But google+ auth does not, because as soon as i click the button, I would get redirected to google OAUTH (as expected). but the controller intercepts the traffic to accounts.google.com/oauth/.... with the IAPs portal certificate (please see printscrren). Is there a way to disable this for the needed destination?

Many thanks for your help in advance, sincerely jonas

------------------------------
Jonas Stalder
------------------------------

with your hint regarding the pre-auth-role I figured out. See in the printscreen the configuraiton just for other users.

As you told, there is a pre-auth role needed, that allows the access to google. It's needed to be carefull regarding the urls. I was required to add also account.google.CH (because google thinks I'm from Switzerland what is correct). After adding, it was working.

I'll shorten down the pre-auth, but in the printscreens the solutions should be clearly discribed.

Thanks for your help Herman!








------------------------------
Jonas Stalder
------------------------------

Original Message:
Sent: Jan 03, 2022 08:34 AM
From: Jonas Stalder
Subject: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Dear Guys

I try to create a guest portal on which the guests can register them self with a google identity (or later others like linked in...).

The setup is:
- IAP with guest network
- Authentication with external captive portal (Clearpass)
- Social Media Authentication with google+

Other services like guest sponsoring and self reg. works (on other configured networks). But google+ auth does not, because as soon as i click the button, I would get redirected to google OAUTH (as expected). but the controller intercepts the traffic to accounts.google.com/oauth/.... with the IAPs portal certificate (please see printscrren). Is there a way to disable this for the needed destination?

Many thanks for your help in advance, sincerely jonas

------------------------------
Jonas Stalder
------------------------------