last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Not redirecting to Captive Portal

  • 1.  Not redirecting to Captive Portal

    Posted May 31, 2013 02:14 PM

    Using the Virtual controller on an IAP pointing to CPPM(6.1) for BYOD. Have an employee SSID set up on Instant which points to CPPM and Onboard configured for Captive portal. I cant seem to perform redirection to the Captive portal. The redirection works for my guest SSID and CPPM/Onboard guest portal.  Any pointers much appreciated.

  • 2.  RE: Not redirecting to Captive Portal

    Posted May 31, 2013 03:31 PM
    Have you confirmed its not a DNS resolution issue?
    Have you tried using an IP address for redirection?
    If the the employee SSID is in a different VLAN than your other SSIDs, does the VLAN on the controller have an IP assigned to it?

  • 3.  RE: Not redirecting to Captive Portal

    Posted May 31, 2013 06:38 PM


    Confirmed its not a dns resolution issue, also tried with IP address.  We are using a single ssid called byod on the Instant AP which maps to an employee role. thanks a bunch

  • 4.  RE: Not redirecting to Captive Portal

    Posted May 31, 2013 06:52 PM

    BYOD on a Single SSID

    Instant OS 3.2 and earlier did not provide the ability to redirect a client to a captive portal page post 802.1X authentication. This limitation required the use of 2 SSIDs: 1) provisioning SSID 2) approved device SSID (802.1X) to provide a complete BY0D solution. In Instant OS 3.3, Aruba introduced the ability to redirect a client to a captive portal page after 802.1X authentication. This new enhancement provides the ability to append a captive portal redirection to a user role. This enhancement coupled with the ability to define a user role based on the EAP authentication type allows the use of a single SSID for a complete BYOD solution. The steps involved in configuring a single SSID for BYOD are these:

    1. Create a user role with captive ported redirection
    2. Create an employee SSID with WPA2_Enterprise authentication
    3. In the employee SSID configuration create a derivation rule that assigns the captive portal user role based on 802.1X authentication type (Ex: EAP-PEAP MSCHAPv2)
    4. Optionally, configure ClearPass to return non-captive user role for users authenticating using EAP-TLS . By default, a user authenticating with an EAP-method other than the one in Step 3 is assigned the default-role for the SSID.


    STEP 1: Create a user role with captive portal redirection


    • Create a new role: byod-enroll


    • Create a captive portal access rule



    • Allow DNS, DHCP to all destinations and HTTP/HTTPS access to ClearPass server.






    STEP 2: Create an Employee SSID


    • Configure SSID name and VLAN





    • Configure WPA2-Enterprise security on the SSID




    STEP 3: Configure the access settings of the SSID with appropriate 802.1X authentication type based derivation rule


    • Configure a derivation rule based on the EAP-type. If the user authenticates with PEAP-MACHAPv2 assign the byod-enroll. This will redirect the users to provisioning page.




    • User authenticates with EAP types other the PEAP-MSCHAPv2 will be assigned the default role for the SSID. The provisioning process on ClearPass will install certificates and configure the client's wireless supplicant for EAP-TLS.


    • When the client reconnects to the SSID during the final step of the provisioning process it uses EAP-TLS. This will assign the default SSID role to the client.


    STEP 4: If required configure IAP for server derived rules


    • Using the Aruba-User-Role VSA, ClearPass can push user roles to IAP. The accomplish this, the IAP should be configured with the appropriate user role definition ad server derived rule.



  • 5.  RE: Not redirecting to Captive Portal

    Posted May 31, 2013 09:20 PM
      |   view attached

    hi tarnold


    thank you for your help, unfortunately i cannot see the images as they appear to be on ur internal pages.. prompting me to login


    please can you send the screenshots by pdf...


    kind wishes


  • 6.  RE: Not redirecting to Captive Portal

    Posted Jun 01, 2013 03:58 PM
      |   view attached



    IAP_BYOD.pdf   582 KB 1 version

  • 7.  RE: Not redirecting to Captive Portal

    Posted Jun 03, 2013 10:41 PM

    Thanks you so much


    The URL redirect now happens but the onboarding does not complete. The IAP sends the following URL format to the CPPM


    https://<clearpass IP>/guest/device_provisoning.php?cmd=login&mac=xxxxxxxxx&essid=byod&ip=192.......&apname=xxxxxxxx&<original URL>


    however if I manually go to https://<clearpass IP>/guest/device_provisoning.php/    then I get to the onboarding page. After running through Quick Connect app I get re-provisioned for TLS. 


    It seems CPPM is expecting only upto "/device_provisioning.php/  and not the other meta data containing the original url


    i am trying this with Android ICS 4.1.1. 


    I experienced same issue of non redirection when trying from iPad.(testing without commerical cert )




  • 8.  RE: Not redirecting to Captive Portal

    Posted Jun 03, 2013 10:51 PM

    Did you try it with out https.


    IOS will not onboard if you have https enabled with no public webserver cert. 


    Make sure you disable https in CPGuest under "Home » Configuration » Authentication"


    And in you IAP you use http. 


    Android will also complain if you tell it to validate the server cert under the provisioning settings.

  • 9.  RE: Not redirecting to Captive Portal

    Posted Jun 04, 2013 11:55 AM

    I tried both with & without https  ( Onboard > Config > Authentication >  disabled HTTP for authentication for guest portal )


    I can get iOS to onboard without https (1st PEAP, then TLS). Android and iOS works fine if i point browser to http://<ip_addr>/guest/device_provisoning.php



    For iOS or Android if I type in a random URL  I can see the redirect trying to happen


    For example: 


    1. I enter in browser:           (dns works)

    2. Browser is hijacked and URL shows  <ip of cppm>/guest/device_provisioning.php<followed by mac adress, meta data and the orignal url >


    but it hangs there and then says the link cannot be reached.


    Are my 

     Is there an example of configuration on the CPPM services & onboaed side?


    much thanks

  • 10.  RE: Not redirecting to Captive Portal

    Posted Jun 04, 2013 12:03 PM

    error msg on the redirect attempt is (on android)


    Webpage not available


    The webpage at < IP adrress of CPPM  + long url > might be temporarily down or it may have permanently moved to a new web address.

  • 11.  RE: Not redirecting to Captive Portal

    Posted Jun 06, 2013 01:09 AM
    What device are you testing with?

    I will have some lab time wed so I will do some testing and try to update some docs.

    You can look here to see if the device has been tested. The list is an older one and I will try to update it also.