Security

last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Not redirecting to Captive Portal

  • 1.  Not redirecting to Captive Portal

    Posted May 31, 2013 02:14 PM

    Using the Virtual controller on an IAP pointing to CPPM(6.1) for BYOD. Have an employee SSID set up on Instant which points to CPPM and Onboard configured for Captive portal. I cant seem to perform redirection to the Captive portal. The redirection works for my guest SSID and CPPM/Onboard guest portal.  Any pointers much appreciated.



  • 2.  RE: Not redirecting to Captive Portal

    Posted May 31, 2013 03:31 PM
    Have you confirmed its not a DNS resolution issue?
    Have you tried using an IP address for redirection?
    If the the employee SSID is in a different VLAN than your other SSIDs, does the VLAN on the controller have an IP assigned to it?


  • 3.  RE: Not redirecting to Captive Portal

    Posted May 31, 2013 06:38 PM

     

    Confirmed its not a dns resolution issue, also tried with IP address.  We are using a single ssid called byod on the Instant AP which maps to an employee role. thanks a bunch



  • 4.  RE: Not redirecting to Captive Portal

    Posted May 31, 2013 06:52 PM

    BYOD on a Single SSID

    Instant OS 3.2 and earlier did not provide the ability to redirect a client to a captive portal page post 802.1X authentication. This limitation required the use of 2 SSIDs: 1) provisioning SSID 2) approved device SSID (802.1X) to provide a complete BY0D solution. In Instant OS 3.3, Aruba introduced the ability to redirect a client to a captive portal page after 802.1X authentication. This new enhancement provides the ability to append a captive portal redirection to a user role. This enhancement coupled with the ability to define a user role based on the EAP authentication type allows the use of a single SSID for a complete BYOD solution. The steps involved in configuring a single SSID for BYOD are these:

    1. Create a user role with captive ported redirection
    2. Create an employee SSID with WPA2_Enterprise authentication
    3. In the employee SSID configuration create a derivation rule that assigns the captive portal user role based on 802.1X authentication type (Ex: EAP-PEAP MSCHAPv2)
    4. Optionally, configure ClearPass to return non-captive user role for users authenticating using EAP-TLS . By default, a user authenticating with an EAP-method other than the one in Step 3 is assigned the default-role for the SSID.

     

    STEP 1: Create a user role with captive portal redirection

     

    • Create a new role: byod-enroll

     

    • Create a captive portal access rule

     

     

    • Allow DNS, DHCP to all destinations and HTTP/HTTPS access to ClearPass server.

     

     

     

     

     

    STEP 2: Create an Employee SSID

     

    • Configure SSID name and VLAN

     

     

     

     

    • Configure WPA2-Enterprise security on the SSID

     

     

     

    STEP 3: Configure the access settings of the SSID with appropriate 802.1X authentication type based derivation rule

     

    • Configure a derivation rule based on the EAP-type. If the user authenticates with PEAP-MACHAPv2 assign the byod-enroll. This will redirect the users to provisioning page.

     

     

     

    • User authenticates with EAP types other the PEAP-MSCHAPv2 will be assigned the default role for the SSID. The provisioning process on ClearPass will install certificates and configure the client's wireless supplicant for EAP-TLS.

     

    • When the client reconnects to the SSID during the final step of the provisioning process it uses EAP-TLS. This will assign the default SSID role to the client.

     

    STEP 4: If required configure IAP for server derived rules

     

    • Using the Aruba-User-Role VSA, ClearPass can push user roles to IAP. The accomplish this, the IAP should be configured with the appropriate user role definition ad server derived rule.

     

     



  • 5.  RE: Not redirecting to Captive Portal

    Posted May 31, 2013 09:20 PM
      |   view attached

    hi tarnold

     

    thank you for your help, unfortunately i cannot see the images as they appear to be on ur internal pages.. prompting me to login

     

    please can you send the screenshots by pdf...

     

    kind wishes

    raj



  • 6.  RE: Not redirecting to Captive Portal

    Posted Jun 01, 2013 03:58 PM
      |   view attached

    PDF

    Attachment(s)

    pdf
    IAP_BYOD.pdf   582 KB 1 version


  • 7.  RE: Not redirecting to Captive Portal

    Posted Jun 03, 2013 10:41 PM

    Thanks you so much

     

    The URL redirect now happens but the onboarding does not complete. The IAP sends the following URL format to the CPPM

     

    https://<clearpass IP>/guest/device_provisoning.php?cmd=login&mac=xxxxxxxxx&essid=byod&ip=192.......&apname=xxxxxxxx&switchip=securelogin.arubanetworks.com&url=http<original URL>

     

    however if I manually go to https://<clearpass IP>/guest/device_provisoning.php/    then I get to the onboarding page. After running through Quick Connect app I get re-provisioned for TLS. 

     

    It seems CPPM is expecting only upto "/device_provisioning.php/  and not the other meta data containing the original url

     

    i am trying this with Android ICS 4.1.1. 

     

    I experienced same issue of non redirection when trying from iPad.(testing without commerical cert )

     

     

     



  • 8.  RE: Not redirecting to Captive Portal

    Posted Jun 03, 2013 10:51 PM

    Did you try it with out https.

     

    IOS will not onboard if you have https enabled with no public webserver cert. 

     

    Make sure you disable https in CPGuest under "Home » Configuration » Authentication"

     

    And in you IAP you use http. 

     

    Android will also complain if you tell it to validate the server cert under the provisioning settings.



  • 9.  RE: Not redirecting to Captive Portal

    Posted Jun 04, 2013 11:55 AM

    I tried both with & without https  ( Onboard > Config > Authentication >  disabled HTTP for authentication for guest portal )

     

    I can get iOS to onboard without https (1st PEAP, then TLS). Android and iOS works fine if i point browser to http://<ip_addr>/guest/device_provisoning.php

     

     

    For iOS or Android if I type in a random URL  I can see the redirect trying to happen

     

    For example: 

     

    1. I enter in browser:  http://www.yahoo.co.in           (dns works)

    2. Browser is hijacked and URL shows  <ip of cppm>/guest/device_provisioning.php<followed by mac adress, meta data and the orignal url >

     

    but it hangs there and then says the link cannot be reached.

     

    Are my 

     Is there an example of configuration on the CPPM services & onboaed side?

     

    much thanks



  • 10.  RE: Not redirecting to Captive Portal

    Posted Jun 04, 2013 12:03 PM

    error msg on the redirect attempt is (on android)

     

    Webpage not available

     

    The webpage at < IP adrress of CPPM  + long url > might be temporarily down or it may have permanently moved to a new web address.



  • 11.  RE: Not redirecting to Captive Portal

    Posted Jun 06, 2013 01:09 AM
    What device are you testing with?

    I will have some lab time wed so I will do some testing and try to update some docs.

    You can look here to see if the device has been tested. The list is an older one and I will try to update it also.

    http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Android-Onboarding/m-p/74380#M1928