Security

last person joined: 23 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

RAP and captive portal using split-tunnel

Jump to Best Answer
This thread has been viewed 8 times
  • 1.  RAP and captive portal using split-tunnel

    Posted Jun 29, 2018 08:24 PM

    I was following this "how to" to be able to do captive portal on a RAP (link) with no success. I did exaclty every single step plus created dhcp pool for this interface.

    The result I am getting is no captive portal but in the controller I can see I got right user role "vbn-guest-logon" and I am getting IP address from the controller dhcp pool. What can I do wrong that I dont see captive portal so I am half way connected, my iphne insted of wifi icon show still LTE, which indicates sth does not go through.

     

     



  • 2.  RE: RAP and captive portal using split-tunnel

    Posted Jun 30, 2018 02:05 PM

    Couple of good places to start would be to check the Captive Portal is assigned to your initial role, the client has a valid and working DNS server, any ACL which a pertaining to the Captive Portal are set to permit to tunnel this traffic back to the controller as well. Feel free to post config snippets which might help.



  • 3.  RE: RAP and captive portal using split-tunnel

    Posted Jun 30, 2018 11:37 PM

    show ip dhcp database
    DHCP enabled
    # split
    subnet 172.32.0.0 netmask 255.255.240.0 {
        default-lease-time 14400;
        max-lease-time 14400;
        option vendor-class-identifier  "ArubaAP";
        option vendor-encapsulated-options  "x.x.x.x";
        option routers 172.32.0.1;
        range 172.32.0.21 172.32.15.254;
        authoritative;

     

    show ip interface brief
    Interface                   IP Address / IP Netmask        Admin   Protocol  
    vlan 32                     172.32.0.1 / 255.255.240.0     up      up         none            (none)

     

    show ip access-list vbn-guest-control
    ip access-list session vbn-guest-control
    vbn-guest-control
    -----------------
    Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    any          udp 68                 deny                             Low                                                           4        
    2         any     any          svc-dhcp               permit                           Low                                                           4        
    3         any     any          svc-dns                permit                           Low                                                           4        
    4         any     any          svc-icmp               permit                           Low                                                           4     

     

     

    show ip access-list vbn-guest-captiveportal
    ip access-list session vbn-guest-captiveportal
    vbn-guest-captiveportal
    -----------------------
    Priority  Source  Destination  Service    Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------    -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    controller   svc-https               dst-nat 8081                           Low                                                           4        
    2         user    any          svc-http                dst-nat 8080             Yes           Low                                                           4        
    3         user    any          svc-https               dst-nat 8081                           Low                                                           4     

     

     

    show aaa authentication captive-portal "vbn-guest"

    Captive Portal Authentication Profile "vbn-guest"
    -------------------------------------------------
    Parameter                                          Value
    ---------                                          -----
    Default Role                                       vbn-guest
    Default Guest Role                                 guest
    Server Group                                       default
    Redirect Pause                                     1 sec
    User Login                                         Enabled
    Guest Login                                        Disabled
    Logout popup window                                Enabled
    Use HTTP for authentication                        Disabled
    Logon wait minimum wait                            5 sec
    Logon wait maximum wait                            10 sec
    logon wait CPU utilization threshold               60 %
    Max Authentication failures                        0
    Show FQDN                                          Disabled
    Authentication Protocol                            PAP
    Login page                                         /auth/index.html
    Welcome page                                       /auth/welcome.html
    Show Welcome Page                                  Yes
    Add switch IP address in the redirection URL       Disabled
    Adding user vlan in redirection URL                Disabled
    Add a controller interface in the redirection URL  N/A
    Allow only one active user session                 Disabled
    White List                                         N/A
    Black List                                         N/A
    Show the acceptable use policy page                Disabled
    User idle timeout                                  N/A
    Redirect URL                                       N/A
    Bypass Apple Captive Network Assistant             Disabled
    URL Hash Key                                       N/A

     

    show rights vbn-guest-logon

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'vbn-guest-logon'
     Up BW:No Limit   Down BW:No Limit  
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Number of users referencing it = 0
     Periodic reauthentication: Disabled
     DPI Classification: Enabled
     Youtube education: Disabled
     Web Content Classification: Enabled
     IP-Classification Enforcement: Enabled
     ACL Number = 81/0
     Openflow: Disabled
     Max Sessions = 65535

     Check CP Profile for Accounting = TRUE
     Captive Portal profile = vbn-guest

    Application Exception List
    --------------------------
    Name  Type
    ----  ----

    Application BW-Contract List
    ----------------------------
    Name  Type  BW Contract  Id  Direction
    ----  ----  -----------  --  ---------

    access-list List
    ----------------
    Position  Name                        Type     Location
    --------  ----                        ----     --------
    1         global-sacl                 session  
    2         apprf-vbn-guest-logon-sacl  session  
    3         vbn-guest-control           session  
    4         vbn-guest-captiveportal     session  

    global-sacl
    -----------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    apprf-vbn-guest-logon-sacl
    --------------------------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    vbn-guest-control
    -----------------
    Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    any          udp 68                 deny                             Low                                                           4        
    2         any     any          svc-dhcp               permit                           Low                                                           4        
    3         any     any          svc-dns                permit                           Low                                                           4        
    4         any     any          svc-icmp               permit                           Low                                                           4        
    vbn-guest-captiveportal
    -----------------------
    Priority  Source  Destination  Service    Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------    -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         user    controller   svc-https               dst-nat 8081                           Low                                                           4        
    2         user    any          svc-http                dst-nat 8080             Yes           Low                                                           4        
    3         user    any          svc-https               dst-nat 8081                           Low                                                           4 

     

     

    show rights vbn-guest

    Valid = 'Yes'
    CleanedUp = 'No'
    Derived Role = 'vbn-guest'
     Up BW:No Limit   Down BW:No Limit  
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Number of users referencing it = 0
     Periodic reauthentication: Disabled
     DPI Classification: Enabled
     Youtube education: Disabled
     Web Content Classification: Enabled
     IP-Classification Enforcement: Enabled
     ACL Number = 84/0
     Openflow: Disabled
     Max Sessions = 65535

     Check CP Profile for Accounting = TRUE

    Application Exception List
    --------------------------
    Name  Type
    ----  ----

    Application BW-Contract List
    ----------------------------
    Name  Type  BW Contract  Id  Direction
    ----  ----  -----------  --  ---------

    access-list List
    ----------------
    Position  Name                  Type     Location
    --------  ----                  ----     --------
    1         global-sacl           session  
    2         apprf-vbn-guest-sacl  session  
    3         vbn-guest             session  

    global-sacl
    -----------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    apprf-vbn-guest-sacl                              
    --------------------
    Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    vbn-guest
    ---------
    Priority  Source  Destination    Service    Application  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------    -------    -----------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     any            svc-dhcp                permit                                  Low                                                           4        
    2         user    my-dns  svc-dns                 permit                                  Low                                                           4        
    3         user    controller     svc-https               dst-nat 8081                            Low                                                           4        
    4         user    any            any                     route src-nat                           Low                                                           4

     

    #show ip access-list vbn-guest

    ip access-list session vbn-guest
    vbn-guest
    ---------
    Priority  Source  Destination    Service    Application  Action         TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
    --------  ------  -----------    -------    -----------  ------         ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
    1         any     any            svc-dhcp                permit                                  Low                                                           4        
    2         user    my-dns  svc-dns                 permit                                  Low                                                           4        
    3         user    controller     svc-https               dst-nat 8081                            Low                                                           4        
    4         user    any            any                     route src-nat                           Low                                                           4 

     

    show aaa profile "vbn-guest"

    AAA Profile "vbn-guest"
    -----------------------
    Parameter                           Value
    ---------                           -----
    Initial role                        vbn-guest-logon
    MAC Authentication Profile          N/A
    MAC Authentication Default Role     guest
    MAC Authentication Server Group     default
    802.1X Authentication Profile       N/A
    802.1X Authentication Default Role  guest
    802.1X Authentication Server Group  N/A
    Download Role from CPPM             Disabled
    Set username from dhcp option 12    Disabled
    L2 Authentication Fail Through      Disabled
    Multiple Server Accounting          Disabled
    User idle timeout                   N/A
    Max IPv4 for wireless user          2
    RADIUS Accounting Server Group      N/A
    RADIUS Roaming Accounting           Disabled
    RADIUS Interim Accounting           Disabled
    XML API server                      N/A
    RFC 3576 server                     N/A
    User derivation rules               N/A
    Wired to Wireless Roaming           Enabled
    SIP authentication role             N/A
    Device Type Classification          Enabled

     

    --------------------------------

    SSID is open
    Enforce DHCP                        Disabled
    PAN Firewall Integration            Disabled
    Open SSID radius accounting         Disabled

     

    #show wlan virtual-ap "email capture-vap_prof"

    Virtual AP profile "email capture-vap_prof"
    -------------------------------------------
    Parameter                                       Value
    ---------                                       -----
    AAA Profile                                     email capture-aaa_prof
    802.11K Profile                                 default
    Hotspot 2.0 Profile                             N/A
    SSID Profile                                    email capture-ssid_prof
    Virtual AP enable                               Enabled
    VLAN                                            32
    Forward mode                                    split-tunnel
    Allowed band                                    all
    Band Steering                                   Enabled
    Cellular handoff assist                         Disabled
    Openflow Enable                                 Disabled
    Steering Mode                                   prefer-5ghz
    Dynamic Multicast Optimization (DMO)            Enabled
    Dynamic Multicast Optimization (DMO) Threshold  6
    Drop Broadcast and Unknown Multicast            Disabled
    Convert Broadcast ARP requests to unicast       Enabled
    Authentication Failure Blacklist Time           3600 sec
    Blacklist Time                                  3600 sec
    Deny inter user traffic                         Disabled
    Deny time range                                 N/A
    DoS Prevention                                  Disabled
    HA Discovery on-association                     Enabled
    Mobile IP                                       Enabled
    Preserve Client VLAN                            Disabled
    Remote-AP Operation                             standard
    Station Blacklisting                            Enabled
    Strict Compliance                               Disabled
    VLAN Mobility                                   Disabled
    WAN Operation mode                              always
    FDB Update on Assoc                             Disabled
    WMM Traffic Management Profile                  N/A
    Anyspot profile                                 N/A



  • 4.  RE: RAP and captive portal using split-tunnel
    Best Answer

    Posted Jul 01, 2018 01:52 AM

    The DHCP scope defined on your controller does not appear to be assigning a DNS server. Can you confirm the clients are assigned a valid and working DNS server in the first instance. If there is no response from a DNS server the re-direct to the Captive Portal will occur.



  • 5.  RE: RAP and captive portal using split-tunnel

    Posted Jul 02, 2018 09:20 AM

    Yep, it was missing DNS

     

    Thank you



  • 6.  RE: RAP and captive portal using split-tunnel

    Posted Sep 17, 2019 12:04 PM

    I am trying to use external captive portal(clearpass) in that scenario and sth is off. I am getting correct logon user that I see in the controller, getting correct correct IP from controller (split tunnel), several DNS which I defined in the controller (same pool I use for split tunnel) and whitelisted in captive portal settings in the controller but splash page from clearpass does not pops out. Captive portal settings on the controler has initial logon user with working clearpass link page. What could be wrong?  

    I have noticed once on my phone that when I manualy went to one website, it tried to open sth(clearpass page) but after some time I got certificate error about my controller domain which has valid certificate, clearpass also has valid cert.



  • 7.  RE: RAP and captive portal using split-tunnel

    Posted Sep 17, 2019 12:39 PM

    I added some proxy rules for logon user. When I click conneced SSID it takes unusually long time to associate and then struggling to open correct page from clearpass on my phone but I would not call this operational

     

    Screen Shot 2019-09-17 at 12.33.03 PM.pngScreen Shot 2019-09-17 at 12.33.36 PM.png



  • 8.  RE: RAP and captive portal using split-tunnel

    Posted Sep 18, 2019 10:52 AM

    Ok I have noticed that I dont have access to clearpass(cant ping) after I join the wifi so that means sth is wrong with the rules. I added IP of my clearpass for logon session list (https and http) but sitll no luck.

     

    What has to change in the config from the link in the first post in order to make external splash page work?