Hi guysI just attended the Clearpass Essentials training (which I can highly recommend) and wrote this tutorial for me because I'm a big fan of step-by-step guides. It's nothing new but I couldn't find such a (correct) step-by-step guide which fullfilled my needs. And additionally the controller configuration part is missing in the training guides - I added it here in chapter 5. I'm sharing this and hope it's useful to you. Any feedbacks are welcomed!
First, have a look at my Design Overview
This will help you understand, what is being configured in the controller (regarding the dependencies of the profiles)
These are the values I will use in this tutorial. I summarize them here so you can use this section for preparing, adjusting and "re-finding" your values when you do your own implementation.
Aruba Clearpass Policy Manager, Version 184.108.40.206095
DNS Name: cppm.mycompany.com
IP MGMT: 10.10.100.2 / 255.255.255.0
IP DATA 192.168.1.2 / 255.255.255.0
NAD: myController, 10.10.100.1 with Shared Key aruba123
Service (RADIUS): Captive Portal MAC Authentication
Service (RADIUS): Captive Portal User Authentication with MAC Caching
Aruba Clearpass Guest, Version 220.127.116.11095
Name of the Web Login Page: Guest Network
Pagename of the Web Login Page: captiveportal (.php / is autom. added)
Aruba Controller, Version 18.104.22.168
IP (eth0): 10.10.100.1 / 255.255.255.0 (Subnet used for Management Traffic)
IP (eth1): 192.168.1.1 / 255.255.255.0 (Subnet used for Guest Networking)
Shared Secret: aruba123
RADIUS Server: myClearpass, 10.10.100.2 (MGMT IP of Clearpass), aruba123 (Shared Key)
RC 3576 Server: 10.10.100.2, aruba123 (Shared Key)
Server Group: Clearpass (Groupname)
L3 Authentication: CPPM_CaptivePortal (Profilename)
Captive Portal Login Page = https://192.168.1.2/guest/captiveportal.php
Auth Profile Server Group = Clearpass
User Role: captiveportal_logon
Policy Name: CaptivePortal-ACL
Policy Type: <Session>
Guest Profile: CaptPort-aaa_prof
MAC Authentication Profile: default
MAC Authentication Server Group: Clearpass
RADIUS Accounting Server Group: Clearpass
Virtual AP Profile: CaptPort-vap_prof
SSID Profile: CaptPort-ssid_prof
Now the Step-by-step tutorial begins:
1. Adding the Aruba Controller as NAD
Use the following parameters:
IP or Subnet Address: 10.10.100.1
RADIUS Shared Secret: aruba123
2. Create the Guest Service
General > Name Prefix: Captive Portal
Wireless Network Settings > Wireless SSID: Guest-SSID
Wireless Network Settings > Select Wireless Controller: myController
MAC Caching Settings > Cache duration for Guest: One Day
Access Restrictions > Enforcement Type: Aruba Role Enforcement
Access Restrictions > Captive Portal Access: captiveportal_logon
Access Restrictions > Maximum number of devices allowed per user: 1
Access Restrictions > Guest Access: guest
Leave the the rest of the fields blank or by default. Change values for ”Cache duration for Guest” and “Maximum number of devices allowed per user” at your discretion
3. Create the Captive Portal Page
Name: Captive Portal
Page Name: captiveportal (This will set the URL to: https://cppm.mycompany.com/guest/captiveportal.php)
Vendor Settings: Aruba Networks (is the default)
Address: securelogin.arubanetworks.com (is the default, is used to avoid certificate errors)
Authentication: Credentials – Require a username and password (is the default)
Pre-Auth Check: Local – match a local account
Customize the Loging Page at your discretion. Give it at least a meaningful “Title”.
4. Create a Guest User
5. Configuring the Aruba Controller
5.1 Add Clearpass as RADIUS Server
Host: 10.10.100.2 (MGMT IP of Clearpass)
Key: aruba123 (Shared Key between Controller and Clearpass)
Leave the other fields by default
5.2 Add Clearpass as RFC 3576 Server
5.3 Create a Server Group for Clearpass
5.4 Configure the Captive Portal / L3 Authentication
Login page: https://192.168.1.2/guest/captiveportal.php
5.5 Create the Captive Portal (Logon) Role
Policy Name: CaptivePortal-ACL
Policy Type: <Session>
IP Version: IPv4
Destination: host, Host IP: 192.168.1.2 (IP of Clearpass)
Service: service -> svc-http (80)
Service: service -> svc-https (443)
5.6 Configure the Guest Captive Portal AAA Profile
5.7 Configure the Guest Captive Portal SSID
5.8 Save the Configuration
Ditto that. I attended the Clearpass Fundamentals and my head exploded. Couldn't wait to get back to the office to get my Guest Register pages up and running. Great doc.
Thank laurent, this advice will come in handy.
But a question. Will the users consume a Guest license or simply a CPPM license? We have something like this in place, however it doesn't consume guest licenses.
Thank you for your post. I'm implementing a brand new iAPs environment. Are the steps similar with the exception of controller configurations?
jvu, please try the video here: http://community.arubanetworks.com/t5/Video/VIDEO-Captive-Portal-Authentication-with-Aruba-Instant-and/ta-p/69940
Thank you again Colin
Could I implement Self-Registration to go along with this write up?
Webcore, absolutely! There are even two ways doing that:
1. You do this tutorial (beware, it's slightly outdated due to new features in clearpass) and then you create a Guest Selfregistration page (menu item above Weblogins) and you put a link to it from the Weblogin page you created in the tutorial here.
2. You skip the Weblogin step in this tutorial and you directly use the Weblogin page which is created in the Guest Selfregistration process.
It's really easy to do... Good luck!
I'm going through your walkthrough right now. As soon as I'm finished with that, then I'm going to implement the Self Reg stuff. I'll let you know how it goes.
Thank you very much!
Ran into a snag. The Captive Portal page gets a 404 when I connect to guest. How can I troubleshoot this?
EDIT: Got it working, kinda. I'm getting a certificate error, but the correct page is coming up. I had incorrectly entered a value on my L3 captive portal auth profile that did not match what'd I'd configured in CP Guest. Working on Self-Registration now.
We have followed the steps as per your article but after guest authentication it is trying to redirect to CPPM default landing page. Our requirement is after successful authentication guest should be able to browse the internet.
Could please guide how to resolve the issue.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.