Wireless Access

 View Only
last person joined: yesterday 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

Jump to Best Answer
This thread has been viewed 22 times
  • 1.  IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

    Posted Jan 03, 2022 08:35 AM
    Dear Guys

    I try to create a guest portal on which the guests can register them self with a google identity (or later others like linked in...).

    The setup is:
    - IAP with guest network
    - Authentication with external captive portal (Clearpass)
    - Social Media Authentication with google+

    Other services like guest sponsoring and self reg. works (on other configured networks). But google+ auth does not, because as soon as i click the button, I would get redirected to google OAUTH (as expected). but the controller intercepts the traffic to accounts.google.com/oauth/.... with the IAPs portal certificate (please see printscrren). Is there a way to disable this for the needed destination?

    Many thanks for your help in advance, sincerely jonas

    ------------------------------
    Jonas Stalder
    ------------------------------


  • 2.  RE: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

    EMPLOYEE
    Posted Jan 04, 2022 10:12 AM
    Make sure that you allow traffic to accounts.google.com (and other sites that are needed for the login) in your pre-authentication role. Or set up the pre-authentication role if you haven't yet.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

    Posted Jan 05, 2022 04:36 AM
      |   view attached
    Dear Herman

    wow, feel honored that I get an answer from Herman itself ;)

    Thanks for your reply. That was also my suggestion, but to be onest, there are no options to configure the pre-auth role nether it is placed in the cli config.

    I tried following thing to find out what the pre-auth role is and got the finding, that the role "External CP" is applied.

    SMjsAP01# show clients

    Client List
    -----------
    Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
    ---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
    host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
    a402b9ec8d67 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC External CP fe80::511e:52c2:d856:32a6 76(good) 866(good)
    Number of Clients :2
    Info timestamp :319352

    After authentication (on traditional way without google) I get the correct role.

    SMjsAP01# show clients

    Client List
    -----------
    Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
    ---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
    host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 866(good)
    jonas.stalder@gmx.ch 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_Guest SMjsAP01 116E AC LCN_ROL_GST fe80::511e:52c2:d856:32a6 76(good) 866(good)
    Number of Clients :2
    Info timestamp :319429

    Therefore I would say that I need to configure the External CP role. But this role is not shown in config neither in cli



    SMjsAP01# show run
    version 8.6.0.0-8.6.0
    virtual-controller-country CH
    virtual-controller-key xxx
    name NMjsAPv01
    virtual-controller-ip 10.54.173.14
    terminal-access
    ntp-server 10.54.173.1
    clock timezone Bern 01 00
    rf-band all
    dynamic-radius-proxy

    allow-new-aps

    allowed-ap 70:3a:0e:cb:d5:ee



    arm
    wide-bands 5ghz
    80mhz-support
    min-tx-power 9
    max-tx-power 127
    band-steering-mode prefer-5ghz
    air-time-fairness-mode default-access
    channel-quality-aware-arm-disable
    client-aware
    scanning
    client-match

    rf dot11g-radio-profile
    max-distance 0
    max-tx-power 9
    min-tx-power 6
    disable-arm-wids-functions off
    free-channel-index 40

    rf dot11a-radio-profile
    max-distance 0
    max-tx-power 18
    min-tx-power 12
    disable-arm-wids-functions off


    syslog-level warn ap-debug
    syslog-level warn network
    syslog-level warn security
    syslog-level warn system
    syslog-level warn user
    syslog-level warn user-debug
    syslog-level warn wireless



    extended-ssid



    vlan-name INT_CLI
    vlan-name EXT_GUEST
    vlan INT_CLI 200
    vlan EXT_GUEST 300










    user user1 xxx portal
    user user2 xxx portal




    hash-mgmt-password
    hash-mgmt-user admin password hash xxx



    wlan access-rule CF_Corp
    index 0
    rule any any match any any any permit

    wlan access-rule default_wired_port_profile
    index 1
    rule any any match any any any permit

    wlan access-rule wired-SetMeUp
    index 2
    rule masterip 0.0.0.0 match tcp 80 80 permit
    rule masterip 0.0.0.0 match tcp 4343 4343 permit
    rule any any match udp 67 68 permit
    rule any any match udp 53 53 permit

    wlan access-rule CF_Guest
    index 3
    rule any any match any any any permit

    wlan access-rule CF_BYOD
    index 4
    rule any any match any any any permit

    wlan access-rule R_Byod
    index 5
    rule any any match any any any permit

    wlan access-rule LCN_ROL_GST
    index 6
    rule apip 0.0.0.0 match any any any permit
    rule masterip 0.0.0.0 match any any any permit
    rule 10.54.172.1 255.255.255.255 match any any any permit
    rule 10.54.172.0 255.255.255.128 match any any any deny
    rule any any match any any any permit

    wlan access-rule CF_CorpGuest
    index 7
    rule any any match any any any permit

    wlan ssid-profile CF_Corp
    enable
    index 0
    type employee
    essid CF_Corp
    opmode wpa2-aes
    max-authentication-failures 0
    vlan 200
    auth-server LCNNAC1
    rf-band all
    captive-portal disable
    dtim-period 1
    broadcast-filter arp
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64
    dot11k
    dot11v

    wlan ssid-profile CF_Guest
    enable
    index 1
    type guest
    essid CF_Guest
    opmode opensystem
    max-authentication-failures 0
    vlan 300
    auth-server LCNNAC1
    rf-band all
    captive-portal external profile LCN_CF-GP
    mac-authentication
    dtim-period 1
    broadcast-filter arp
    radius-reauth-interval 480
    radius-accounting
    radius-interim-accounting-interval 3
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64

    wlan ssid-profile CF_BYOD
    enable
    index 2
    type employee
    essid CF_BYOD
    opmode opensystem
    max-authentication-failures 0
    vlan 302
    auth-server LCNNAC1
    rf-band all
    captive-portal disable
    mac-authentication
    dtim-period 1
    broadcast-filter arp
    radius-reauth-interval 120
    radius-accounting
    radius-interim-accounting-interval 2
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64
    dot11k
    dot11v
    download-role

    wlan ssid-profile CF_CorpGuest
    enable
    index 3
    type guest
    essid CF_CorpGuest
    opmode opensystem
    max-authentication-failures 0
    vlan 300
    auth-server LCNNAC1
    rf-band all
    captive-portal external profile LCN-CF-CorpGuest
    mac-authentication
    dtim-period 1
    broadcast-filter arp
    radius-reauth-interval 480
    radius-accounting
    radius-interim-accounting-interval 3
    dmo-channel-utilization-threshold 90
    local-probe-req-thresh 0
    max-clients-threshold 64

    auth-survivability cache-time-out 24



    wlan auth-server LCNNAC1
    ip nac1.leuchter-cloud.ch
    port 1812
    acctport 1813
    key 1b64c4b377f8320aaa24f74a5ea0f62afdbdffb83890131a
    nas-id NMjsAP01
    rfc5997
    rfc3576
    cppm-rfc3576-port 5999
    service-type-framed-user 1x
    service-type-framed-user mac

    wlan captive-portal
    background-color 16777215
    banner-color 16750848
    banner-text "Welcome to Guest Network"
    terms-of-use "This network is not secure, and use is at your own risk"
    use-policy "Please read terms and conditions before using Guest Network"
    authenticated

    wlan external-captive-portal
    server localhost
    port 80
    url "/"
    auth-text "Authenticated"
    auto-whitelist-disable
    https

    wlan external-captive-portal LCN_CF-GP
    server nac-guestportal.leuchter-cloud.ch
    port 443
    url "/guest/LCN-CF-GSP-SelfReg.php"
    auth-text ""
    redirect-url "https://www.leuchterag.ch"
    auto-whitelist-disable
    https
    switch-ip

    wlan external-captive-portal LCN-CF-CorpGuest
    server nac-guestportal.leuchter-cloud.ch
    port 443
    url "/guest/LCN-CF-GSP-Sponsoring.php"
    auth-text ""
    redirect-url "https://www.leuchterag.ch"
    auto-whitelist-disable
    https
    switch-ip


    blacklist-time 3600
    auth-failure-blacklist-time 3600


    ids
    wireless-containment none


    wired-port-profile wired-SetMeUp
    switchport-mode access
    allowed-vlan all
    native-vlan guest
    no shutdown
    access-rule-name wired-SetMeUp
    speed auto
    duplex auto
    no poe
    type guest
    captive-portal disable
    no dot1x

    wired-port-profile default_wired_port_profile
    switchport-mode trunk
    allowed-vlan all
    native-vlan 1
    shutdown
    access-rule-name default_wired_port_profile
    speed auto
    duplex full
    no poe
    type employee
    captive-portal disable
    no dot1x


    enet0-port-profile default_wired_port_profile

    uplink
    preemption
    enforce none
    failover-internet-pkt-lost-cnt 10
    failover-internet-pkt-send-freq 30
    failover-vpn-timeout 180



    airgroup
    disable

    airgroupservice airplay
    disable
    description AirPlay

    airgroupservice airprint
    disable
    description AirPrint





    cluster-security
    allow-low-assurance-devices


    ------------------------------
    Jonas Stalder
    ------------------------------



  • 4.  RE: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

    Posted Jan 05, 2022 04:45 AM
    ... just to say, the profil and SSID I try for googleauth is CF_CorpGuest (not CF_Guest) like in the printscreen. It was just to show the role attached, sorry (bellow the show client with the correct ssid. the auth profile stays the same External CP)

    SMjsAP01# show clients

    Client List
    -----------
    Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps)
    ---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------
    host/cColWsv01.coldflame.local 10.54.162.101 a4:02:b9:bb:98:8d Win 10 CF_Corp SMjsAP01 116E AC CF_Corp fe80::e8ca:7ec0:f836:d4f1 75(good) 6(poor)
    a402b9ec8d67 10.54.172.51 a4:02:b9:ec:8d:67 Win 10 CF_CorpGuest SMjsAP01 116E AC External CP fe80::511e:52c2:d856:32a6 76(good) 866(good)
    Number of Clients :2
    Info timestamp :320182

    ------------------------------
    Jonas Stalder
    ------------------------------



  • 5.  RE: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate
    Best Answer

    EMPLOYEE
    Posted Jan 05, 2022 07:46 AM
    Jonas,

    You can assign the pre-auth role if you select (external) captive portal and then in the Access step:


    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: IAP Guest Wireless intercepts call to Google+ Authentication (OAUTH) with IAP Certificate

    Posted Jan 05, 2022 07:45 AM
    with your hint regarding the pre-auth-role I figured out. See in the printscreen the configuraiton just for other users.

    As you told, there is a pre-auth role needed, that allows the access to google. It's needed to be carefull regarding the urls. I was required to add also account.google.CH (because google thinks I'm from Switzerland what is correct). After adding, it was working.

    I'll shorten down the pre-auth, but in the printscreens the solutions should be clearly discribed.

    Thanks for your help Herman!








    ------------------------------
    Jonas Stalder
    ------------------------------