Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Captive Portal role not working

This thread has been viewed 1 times
  • 1.  Captive Portal role not working

    Posted Oct 04, 2019 10:07 AM

    Hi there,

     

    I'm currently trying to push a captive portal role to a 7005 controller, from ClearPass.

    But I always get the following error on the controller:

     

    "Reject line ... contains unsupported keyword".

     

    The role clearpass generates is the following:

    aaa authentication captive-portal CLEARPASS-MACTRAC
        no user-logon
        no logout-popup-window
        login-page https://clearpass.local/guest/quarantined.php?m=112f2ec63371460a9eaaddcccdf6a8
        no enable-welcome-page
    !
    user-role cppmrole
        vlan 100
        reauthentication-interval 10
        captive-portal CLEARPASS-MACTRAC
    !

    The controller seems to reject everything related to the captive portal profile, inside the "aaa authentication captive-portal". Other stuff like VLAN and ACL works fine, if I just remove the captive portal from the role. It's just the captive portal part that is not accepted.

    Any idea what can be the problem?

     

    Thanks



  • 2.  RE: Captive Portal role not working

    Posted Oct 04, 2019 10:24 AM

    Your initial role in the AAA profile of that Virtual AP should be "cppmrole"

     

    cppm role also needs the captive portal ACLs for this to work.

     

    Are both of those in place?

     

     



  • 3.  RE: Captive Portal role not working

    Posted Oct 04, 2019 11:36 AM

    Did you allow http & https traffic from the user (an wirelss client with an IP) to the clearpass ?

     

    // Create a Netdestination to clearpass

     

    netdestination Clearpass
    host <ip address of clearpass>


    // Allow traffic to the Clearpass Server in the initial role

     

    in the initial role add these ACLs

     

    user Clearpass http permit
    user Clearpass https permit

     

     

    --Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
    --Problem Solved? Click "Accepted Solution" in a post.


     



  • 4.  RE: Captive Portal role not working

    Posted Oct 06, 2019 06:55 PM

    It's not that.

    The mobile controller doesn't accept the role syntax that Clearpass generates.

    Everything related to the captive portal profile in the role, generated by Clearpass, is being rejected.



  • 5.  RE: Captive Portal role not working

    Posted Oct 06, 2019 07:08 PM

    Everything is in place, yet the 7005 log shows the following:

     

    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Idefault-guest-role cppmrole', contains unsupported keyword
    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Idefault-role cppmrole', contains unsupported keyword
    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Ilogin-page  https://clearpass.local/guest/quarantined.php?m=112f2ec63371460a9eaaddcccdf6a8', contains unsupported keyword
    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Ino enable-welcome-page', contains unsupported keyword
    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Ino logout-popup-window', contains unsupported keyword
    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Ino user-logon', contains unsupported keyword
    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Iwhite-list clearpass.local', contains unsupported keyword
    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line 'aaa authentication captive-portal CLEARPASS-MACTRAC', contains unsupported keyword
    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1954: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: processing stopped due to whitelist violation
    Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm_fsm.c, ac_afsm_exec_transform:433: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Transform failed
    Dldb Role: ROLE_AOS_MC_DUR_CAPTIVE-3056-37 Cannot be assigned downloadable role, role is in error state

    The role Clearpass generates for the 7005 is the following:

    netdestination clearpass.local
        host	192.168.8.1
    !
    aaa authentication captive-portal CLEARPASS-MACTRAC
        default-role cppmrole
        default-guest-role cppmrole
        no user-logon
        no logout-popup-window
        login-page https://clearpass.local/guest/quarantined.php?m=112f2ec63371460a9eaaddcccdf6a8
        no enable-welcome-page
        white-list clearpass.local
    !
    user-role cppmrole
        vlan 2010
        reauthentication-interval 10
        captive-portal CLEARPASS-MACTRAC
    !

     



  • 6.  RE: Captive Portal role not working

    Posted Oct 07, 2019 02:51 AM
    This may be due to special characters in the name of the role sent.

    The authmgr sees a special character '^' with the role being sent.

    Is this the only role where this problem is observed?



  • 7.  RE: Captive Portal role not working

    Posted Oct 07, 2019 06:16 AM

    Unfortunatelly that is not the problem.

    I already create the enforcement profile manually, without any special characters (without any of those ^|, tabs, and slashes), and the 7005 still does not accept the downloadable role.

     

    If I remove everything related to "aaa authentication captive-portal" and use a local captive portal profile, the role works.



  • 8.  RE: Captive Portal role not working

    Posted Jun 12, 2020 04:58 AM

    I work for Aruba ClearPass team, and we tested this out locally as well. We hit the same issue and confirmed with the AOS Controller team. the Captive Portal setting within a DUR for Controller is not supported. that's the reason we have the errors as reported and also seen in our local setup.

    Basically, we cannot push Captive Portal profile settings via DUR.