Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

This thread has been viewed 49 times
  • 1.  Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Mar 08, 2015 09:06 AM

    Hi guys
    I just attended the Clearpass Essentials training (which I can highly recommend) and wrote this tutorial for me because I'm a big fan of step-by-step guides. It's nothing new but I couldn't find such a (correct) step-by-step guide which fullfilled my needs. And additionally the controller configuration part is missing in the training guides - I added it here in chapter 5. I'm sharing this and hope it's useful to you. Any feedbacks are welcomed!

     

    First, have a look at my Design Overview

    This will help you understand, what is being configured in the controller (regarding the dependencies of the profiles)

    Controller-CPPM-CaptivePortal-Design-Overview.png

     

    Configuration Parameters

    These are the values I will use in this tutorial. I summarize them here so you can use this section for preparing, adjusting and "re-finding" your values when you do your own implementation.

     

    Aruba Clearpass Policy Manager, Version 6.5.0.71095

    DNS Name:            cppm.mycompany.com

    IP MGMT:               10.10.100.2 / 255.255.255.0

    IP DATA                 192.168.1.2 / 255.255.255.0

     

    NAD:                        myController, 10.10.100.1 with Shared Key aruba123

     

    Service (RADIUS):    Captive Portal MAC Authentication

    Service (RADIUS):    Captive Portal User Authentication with MAC Caching

     

    Aruba Clearpass Guest, Version 6.5.0.71095

    Name of the Web Login Page: Guest Network

    Pagename of the Web Login Page:   captiveportal (.php / is autom. added)

     

    Aruba Controller, Version 6.3.1.5

    Name:                   myController

    IP (eth0):               10.10.100.1 / 255.255.255.0 (Subnet used for Management Traffic)

    IP (eth1):               192.168.1.1 / 255.255.255.0 (Subnet used for Guest Networking)

    Shared Secret:       aruba123

     

    RADIUS Server:       myClearpass, 10.10.100.2 (MGMT IP of Clearpass), aruba123 (Shared Key)

    RC 3576 Server:      10.10.100.2, aruba123 (Shared Key)

     

    Server Group:        Clearpass (Groupname)

     

    L3 Authentication:   CPPM_CaptivePortal (Profilename)

    Captive Portal       Login Page = https://192.168.1.2/guest/captiveportal.php

    Auth Profile           Server Group = Clearpass

     

    User Role:           captiveportal_logon

    Policy Name:       CaptivePortal-ACL

    Policy Type:        <Session>

     

    Guest Profile:       CaptPort-aaa_prof

                                 MAC Authentication Profile: default

                                 MAC Authentication Server Group: Clearpass

                                RADIUS Accounting Server Group: Clearpass

                        

    Virtual AP Profile: CaptPort-vap_prof

                   

    SSID Profile:        CaptPort-ssid_prof

     

     

     

    Now the Step-by-step tutorial begins:

     

    1.   Adding the Aruba Controller as NAD

    1. On Clearpass Policy Manager navigate to Configuration > Network > Devices
    2. Click 1.pngon the top right

    Use the following parameters:

    Name:                                             myController

    IP or Subnet Address:                   10.10.100.1

    RADIUS Shared Secret:                aruba123

     2.png

     

    1. Click 3.png

    4.png

     

    1. Done

     

    2. Create the Guest Service

    1. On CPPM, navigate to Configuration > Start Here
    2. Select the Guest Authentication with MAC Caching Templat5.png
    1. Fill in the template as follows:

    General > Name Prefix: Captive Portal

    Wireless Network Settings > Wireless SSID: Guest-SSID

    Wireless Network Settings > Select Wireless Controller: myController

    MAC Caching Settings > Cache duration for Guest: One Day

    Access Restrictions > Enforcement Type: Aruba Role Enforcement

    Access Restrictions > Captive Portal Access: captiveportal_logon

    Access Restrictions > Maximum number of devices allowed per user: 1

    Access Restrictions > Guest Access: guest

     

    Leave the the rest of the fields blank or by default. Change values for ”Cache duration for Guest” and “Maximum number of devices allowed per user” at your discretion

     

    1. Click 6.png
    2. You don’t have to reorder the services as long as there are no other services interfering with the newly created

    7.png

     

     

    3. Create the Captive Portal Page

    1. In CPPM Guest navigate to Configuration > Pages > Web Logins
    1. Click 8.pngon the top right
    1. Enter the following parameters:

    Name:                     Captive Portal

    Page Name:            captiveportal (This will set the URL to: https://cppm.mycompany.com/guest/captiveportal.php)

    Vendor Settings:     Aruba Networks (is the default)

    Address:                 securelogin.arubanetworks.com (is the default, is used to avoid certificate errors)

     

    Authentication:       Credentials – Require a username and password (is the default)

    Pre-Auth Check:    Local – match a local account

                                   

    Customize the Loging Page at your discretion. Give it at least a meaningful “Title”.

     

    1. Click 9.png

     

    4. Create a Guest User

    1. In CPPM Guest navigate to Guest > Start Here and click on Create New Guest Account
    2. Fill in some adequate values and click on Create:

     10.png

     

     

    5. Configuring the Aruba Controller

     

    5.1 Add Clearpass as RADIUS Server

     

    1. Navigate to Configuration > SECURITY > Authentication > Servers
    2. Click on RADIUS Server and enter the Name of your Clearpass Server: myClearpass
    3. Click Add
    4. Click on myClearpass in the Server List and enter:

           Host: 10.10.100.2 (MGMT IP of Clearpass)

           Key: aruba123 (Shared Key between Controller and Clearpass)

           Leave the other fields by default

     

    1. Click Apply

    11.png

     

    5.2 Add Clearpass as RFC 3576 Server

    1. Navigate to Configuration > SECURITY > Authentication > Servers
    2. Click on RFC 3576 Server and enter the MGMT IP of Clearpass: 10.10.100.2
    3. Click Add
    4. Click on 10.100.2 in the list
    5. Enter the Shared Key aruba123 twice again
    6. Click Apply

    12.png

     

    5.3 Create a Server Group for Clearpass

    1. Navigate to Configuration > SECURITY > Authentication > Servers
    2. Click on Server Group and enter a reference name for your Clearpass server group: Clearpass
    3. Click Add
    4. Click on Clearpass and click New in Servers
    5. Select your Clearpass Server from the Dropdown List: myClearpass
    6. Click Add Server
    7. Click Apply at the bottom of the page to save the changes

    13.png

     

     

    5.4 Configure the Captive Portal / L3 Authentication

    1. Navigate to Configuration > SECURITY > Authentication and click on L3 Authentication
    2. Click on Captive Portal Authentication Profile
    3. Enter a new Captive Portal profile name: CPPM_CaptivePortal in the empty box and click Add
    4. Select CPPM_CaptivePortal and edit the following parameter:

    Login page: https://192.168.1.2/guest/captiveportal.php

    1. Make sure that “Default Role” = guest and “Default Guest Role” = guest
    2. Click Apply at the bottom of the page to save the changes

    14.png

     

    1. Click on Server Group under the CPPM_CaptivePortal and change the Server Group from default to Clearpass
    2. Click Apply at the bottom of the page to save the changes

    15.png

     

    5.5 Create the Captive Portal (Logon) Role

    1. Navigate to Configuration > SECURITY > Access Control > User Roles and click Add
    2. Name it captiveportal_logon for the Role Name under Firewall Policies
    3. Click Add

    16.png

     

    1. Choose the radio button for Create New Policy and click the Create Button
    2. Enter the following:

    Policy Name: CaptivePortal-ACL

    Policy Type: <Session>

    1. Click Add
    2. Select and enter the following information for the first line of the ACL:

    IP Version: IPv4

    Source: <USER>

    Destination: host, Host IP: 192.168.1.2 (IP of Clearpass)

    Service: service -> svc-http (80)

    Action: permit

    1. Click Add at the far right underneath this rule
    2. Click Add again
    3. Select and enter the following information for the first line of the ACL:

    IP Version: IPv4

    Source: <USER>

    Destination: host, Host IP: 192.168.1.2 (IP of Clearpass)

    Service: service -> svc-https (443)

    Action: permit

    1. Click Add right underneath this rule
    2. Click Done
    3. Click Add under Firewall Policies and select Radio Button for Choose From Configured Policies
    4. Select logon-control (session) and click Done
    5. Click Add again under Firewall Policies and select Radio Button for Choose From Configured Policies
    6. Select captiveportal and click Done
    7. Make sure that captiveportal policy is at the bottom of the list
    8. Right in Configuration select under Captive Portal Profile the newly created CPPM_CaptivePortal
    9. Click Apply at the bottom of the page

    17.png

     

    5.6 Configure the Guest Captive Portal AAA Profile

    1. Navigate to Configuration > SECURITY > Authentication > Servers and click on AAA Profiles
    2. Click Add
    3. Enter a name for the ClearPass Guest Profile: CaptPort-aaa_prof and click Add again
    4. Click on CaptPort-aaa_prof and change the Initial Role to captiveportal_logon and click Apply

    18.png

     

    1. Click on MAC Authentication and set MAC Authentication Profile to default and click Apply
    2. Click on MAC Authentication Server Group, set it to Clearpass and click Apply
    3. Click on RADIUS Accounting Server Group, set it to Clearpass and click Apply
    4. Click on RFC 3576 Server, select 10.100.2 from the Add a profile list, click Add and click Apply

    19.png

     

     

    5.7 Configure the Guest Captive Portal SSID

    1. Navigate to Configuration > Advanced Services > All Profiles
    2. Expand the Wireless LAN section and click on Virtual AP
    3. Enter a name for the Virtual AP profile: CaptPort-vap_prof and click Add
    4. Click on CaptPort-vap_prof to edit it
    5. In the Basic Tab, et the VLAN to your Guest VLAN (if used) and click Apply

    20.png

    1. Click on SSID (on the left under the CaptPort-vap_prof profile)
    2. Click on –New-- in SSID Profile > and name it CaptPort-ssid_prof
    3. Set the Network Name (SSID) to Guest-SSID
    4. Leave Network Authentication to None and Encryption to Open, click Apply
    5. Click on AAA set the AAA Profile from default to CaptPort-aaa_prof and click Apply

    21.png

    1. Navigate to Configuration > WIRELESS > AP Configuration and select your AP Group
    2. Click on Wireless LAN > Virtual AP and select CaptPort-vap_prof from the Add a profile list and click Add
    3. Click Apply

     

    5.8 Save the Configuration

    1. Click on Save Configuration on top of the page and you’re ready to test your Captive Portal!


  • 2.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Mar 09, 2015 11:49 PM

    Ditto that.  I attended the Clearpass Fundamentals and my head exploded.  Couldn't wait to get back to the office to get my Guest Register pages up and running.  Great doc. 



  • 3.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Mar 16, 2015 04:47 AM

    Thank laurent, this advice will come in handy.



  • 4.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Mar 17, 2015 12:10 PM

    Excellent..

    But a question.  Will the users consume a Guest license or simply a CPPM license?  We have something like this in place, however it doesn't consume guest licenses.

    TIA.



  • 5.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Mar 17, 2015 12:43 PM
    Yes, it consumes 1 Policy Manager and 1 Guest License per device. Do you use the captive portal in your setup?


  • 6.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Aug 19, 2015 02:00 PM

    Hi Laurent,

     

    Thank you for your post. I'm implementing a brand new iAPs environment. Are the steps similar with the exception of controller configurations?

     

    Jessca



  • 7.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    EMPLOYEE
    Posted Aug 19, 2015 08:51 PM


  • 8.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Aug 20, 2015 12:15 PM

    Thank you again Colin

    Cám ơn



  • 9.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Feb 08, 2016 03:37 PM

    laurent,

     

    Could I implement Self-Registration to go along with this write up?

     

    Thank you!



  • 10.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Feb 08, 2016 04:31 PM

    Webcore, absolutely! There are even two ways doing that:

     

    1. You do this tutorial (beware, it's slightly outdated due to new features in clearpass) and then you create a Guest Selfregistration page (menu item above Weblogins) and you put a link to it from the Weblogin page you created in the tutorial here.

     

    2. You skip the Weblogin step in this tutorial and you directly use the Weblogin page which is created in the Guest Selfregistration process.

     

    It's really easy to do... Good luck!



  • 11.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Feb 08, 2016 04:47 PM

    Thanks, laurent!

     

    I'm going through your walkthrough right now. As soon as I'm finished with that, then I'm going to implement the Self Reg stuff. I'll let you know how it goes.

     

    Thank you very much!



  • 12.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Feb 08, 2016 05:11 PM

    Ran into a snag. The Captive Portal page gets a 404 when I connect to guest. How can I troubleshoot this?

     

    EDIT: Got it working, kinda. I'm getting a certificate error, but the correct page is coming up. I had incorrectly entered a value on my L3 captive portal auth profile that did not match what'd I'd configured in CP Guest. Working on Self-Registration now.

     

    Thanks!



  • 13.  RE: Step-by-Step: Controller / CPPM 6.5 / Captive Portal authentication with MAC Caching (MAR15-MHC)

    Posted Oct 06, 2016 06:29 AM

    Hi Laurent,

     

    We have followed the steps as per your article but after guest authentication it is trying to redirect to CPPM default landing page. Our requirement is after successful authentication guest should be able to browse the internet.

    Could please guide how to resolve the issue.

     

    Thanks,

    Yugandhar.