Security

last person joined: 14 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

IAP 105 and ClearPass self-registration

Jump to Best Answer
  • 1.  IAP 105 and ClearPass self-registration

    Posted Feb 12, 2013 08:01 AM

    Hello,

     

    I am still confused with ClearPass and I haven't found an answer in the doc or here. So here is what I would like to do :

     

    In ClearPass, I have set up a self-registration (works but don't now about the NAS login, could it be done with ClearPass) and now I need that when connecting to the IAP, the visitor is redirect to this self-registration. I have read about radius, NAS, ... but I am a bit lost.

     

    Anyone can give me an overlook of what to do ?

     

    Thanks.

     

    Dimitri



  • 2.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 12, 2013 09:00 AM

    Never done this with an IAP before, but I would assume it's the same procedure as normal.

     

    Are you using CPPM or plain CP Guest (Amigopod)?

     

    First add the CPPM server as Radius server in the IAP.

    On CPPM create the IAP as a Radius Device (Configuration/Network/Device)

    Use the same shared secret and make sure you have the correct ip of the IAP when entering this in CPPM.

     

    That should be enough to get the IAP and CPPM talking.

     

    Now - edit your self-registration.

    Click the NAS Vendor Settings tab

    Check for "Enable guest login for a NAS"

    • Vendor settings: Aruba Networks
    • ip address: the ip of the radius device (IAP)
    • Secure login: if you're not using certificates then set this to "Send cleartext ..."
    • Save changes..

    Think most of the stuph here should still be valid.. Google for Amigopod-AOS-Integration-AppNote.pdf - select the pdf that is hosted on arubanetworks.com.

     

    Let me know if this helps you or what you get stuck on and I'll try to elaborate..



  • 3.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 12, 2013 09:05 AM

    Hi,

     

    Thanks for this first reponse. I am using plain CP Guest, can I follow your prodecure or is it diffrent from using CCPM ?

     

    Thanks again.

     

    Dimitri

     

     



  • 4.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 12, 2013 09:10 AM

    Then that document is even more valid.

     

    On CP Guest you create the IAP as NAS device under the Radius/NAS List tab.

     

    When you try to authenticate with it check the logs under Support/System logs and you should be able to see what IP address the IAP tries to access with..



  • 5.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 12, 2013 09:25 AM

    On CP Guest, I don't find Radius/NAS List tab. The document is totally diffrent of what I am seeing in CP Guest, I can't match the informations.

     

    I got ClearPass Guest 6.0.1.22810.

     

    Dimitri



  • 6.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 12, 2013 09:39 AM
    Well - then you have cppm with cpguest. Instead of /guest in your URL for admin type /tips. Or just navigate to the IP and you should be redirected to the cppm login.


  • 7.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 12, 2013 09:41 AM

    Ok thanks, so I use your first post procedure ?

     

    Dimitri



  • 8.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 12, 2013 09:42 AM
    Yep. Try it and let me know how it goes.


  • 9.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 14, 2013 03:24 AM

    Hi again,

     

    Here is where I am now :

     

    First add the CPPM server as Radius server in the IAP => ok but do I need to open the ports 1812 and 1813 on my CPPM server ?

    On CPPM create the IAP as a Radius Device (Configuration/Network/Device) => ok done and if I have more IAP, do I need to do the same for each or is there an other fast way ?

    Use the same shared secret and make sure you have the correct ip of the IAP when entering this in CPPM. => ok

     

    That should be enough to get the IAP and CPPM talking => Not working now

     

    Now - edit your self-registration.

    Click the NAS Vendor Settings tab

    Check for "Enable guest login for a NAS"

    • Vendor settings: Aruba Networks
    • ip address: the ip of the radius device (IAP) => what about if I need to do this with multiple IAP ?
    • Secure login: if you're not using certificates then set this to "Send cleartext ..."
    • Save changes..

    Thanks for your help.

     

    Dimitri



  • 10.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 14, 2013 07:45 AM

    Hehe – I see and understand your troubles…

     

    => ok but do I need to open the ports 1812 and 1813 on my CPPM server ?

     

    What kind of link do you have? If the CPPM is behind a firewall/NAT device you will have to make sure UDP 1812/1813 and TCP 80/443 are reachable.

    The IAP needs Radius access to your CPPM server so those ports needs to be reachable

    The clients on the IAP need http/https connection to the CPPM so that too needs to be reachable through the link you have – which is internet?

    The CPPM needs a route back to the client through the IAP.

     

    => ok done and if I have more IAP

     

    Yes you will add each of them - assuming those IAP’s are on other locations and then not a part of the IAP “cluster”.

     

    => ip address: the ip of the radius device (IAP) => what about if I need to do this with multiple IAP ?

     

    Well – in a multiple controller scenario you would click the Dynamic address field “The Controller will send the IP to submit credentials”. Input also which address that are allowed.



  • 11.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 14, 2013 07:48 AM

    How can I check that the IAP and CPPM are talking ? I think the problem is here.

     

    Dimitri



  • 12.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 14, 2013 08:47 AM

    Thanks John, it helps me to go further.

     

    So I have open the right ports on the firewall. No when I connect to the WLAN, I can see on the address field :

     

    https://myCCPMaddress/guest/guest_portal.php?cmd?=login&mac=mymacaddress&essid=TestWifi&ip=myIP&apname=theIAPname&vcname=controllername&switchip=securelogin.arubanetworks.com&url=http://www.google.com

     

    But I don't see the login page, only "connexion has been interupted".

     

    What is the missing thing ? I think I am close to the end but some problems are still here.

     

    Thanks again John.

     

    Dimitri



  • 13.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 14, 2013 09:20 AM

    I have found the solution, it was this : unchecked "Require HTTPS for guest access checkbox".

     

    Now I can create a new user and log in. But it leads to an other issue. After the login, I went on a webpage with a 1 on the upper left and on the adress bar : http://adressofthevc/cgi-bin/login.

     

    What I am doing wrong now ?

     

    Thanks

     

    Dimitri



  • 14.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 14, 2013 10:05 AM

    When does this happen? 

     

    Do you login from a device connected to the SSID on the IAP?

    How does the captive portal profile on the controller look like?

     



  • 15.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 14, 2013 10:13 AM

    It happends when I log in to the SSID of the IAP with my laptop for example.

     

    How does the captive portal profile on the controller look like? => Where can I check this ?

     

    An other little issue (I am logged on the SSID of the IAP) is that when I am typing for example www.google.com, it's added an "https" and get an error in the browser. If I remove the "s" on https, no problem, I can log on normally. Any idea ?


    Thanks


    Dimitri



  • 16.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 05:12 AM

    About my "after" login problem, I think it's about this : when I look at my connected user in the IAP, his role is : External CP. Is it correct to have this ?

     

    Thanks

     

     



  • 17.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 05:41 AM
    Hi Dimitri, I'm creating this myself now just to see how it all connects together. Will get back to you asap :)


  • 18.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 07:00 AM

    Cool :)

     

    One more information, when I connect on my IAP as a guest on wifi and go check the alerts on lan, here is what I see :

     

    "The AP cannot authenticate this client using 802.1x because the RADIUS server did not respond to the authentication request".

     

    Added ----

     

    One more question, do I need to configure something else in CCPM ? For example a service ? I think something is missing but I can't find what.

     

    Thanks



  • 19.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 10:20 AM

    So..

     

    I got this working on my lab.

    Now - in my setup there is no firewall between the IAP and the Clearpass so all traffic is allowed between them.

    You will need to open traffic on ports TCP 80/443, UPD 1812/1813 and UDP 3799 (for CoA).

     

    I'm running software 6.2.0.0-

     

    I'll just run through the highlights..

     

    On the IAP:

    Settings / General /

    • Add your VC IP (not the same IP as your IAP has - this is the virtual one.. :))
    • Dynamic Radius Proxy = Enabled, this you enable to make sure the radius messages are sendt using the VCIP regardless of which IAP in the VC-cluster that sends the radius message..

     

    New Network (or edit existing)

    1. WLAN Settings

    • Name: instaguest (whatever..)
    • Primary usage: Guest

     

    2. VLAN

    IP assignment: VC assigned (atleast in my scenario)

     

    3. Security (what I don't mention leave at default value)

    • Splash page type: External - RADIUS server
    • Auth server 1: Click NEW or Edit. Make sure the ip address and Share secrets are correct. Might want to Enable RFC3576 for CoA.
    • Accounting: Enable (if you need accounting info)
    • IP or Hostname: "insert ip of CPPM/CPGUEST"
    • URL: /landing.php/register.php (or whatever your registrationpage is)
    • Redirect URL: http://www.google.com (or your homepage or just leave empty)

    4. Access

    When testing just select Unrestricted at first.

    One you got it running, adjust the role and access rules as you want.

     

     

    On CPPM

    Create the IAP as a Radius Device using the VC IP and shared secret as previously entered

    • Configuration/Network/Device - Add device..

    Now - this next part I'm not able to get as I want. Mobility Controllers send their IP address in the URL as "switchip". This way you can have multiple Controllers using the same login/self-registration by checking the "The controller will send it's IP to submit credentials". This basically redirects the client back to the NAS device to try to login with the credentials supplied.

    The IAP however sends "securelogin.arubanetworks.com" with https using the built-in ssl certificate. That might be ok, but it's just different. My IPad didn't complain tho - so it might be ok..

     

    On CP Guest

    Edit or create a new login/self-registration

    NAS login section

    • Check "Enable Guest login to NAS"
    • IP Address: securelogin.arubanetworks.com
    • Secure Login: Vendor default

     

    And .. That should be it..

     

     



  • 20.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 10:42 AM

    Thanks for the time taken on this, everthings is configured exactly the same as you have written but I am still blocked after the login. Now I have this page :

     

    https://securelogin.arubanetworks.com/cgi-bin/login and a number in the page

     

    Any idea ?



  • 21.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 10:46 AM
    What does the system log on the CPPM say? I'm guessing it says "Unable to authenticate - Homeserver says so" I had the same issue, but that was because I had setup an external radius authentication which was checked before the CP local db.


  • 22.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 10:50 AM

    Sorry but where can I find the log ?

     

    How to set up this : external radius authentication which was checked before the CP local db ?

     

    Thanks.

     

    Dimitri



  • 23.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 10:53 AM
    Doubt you have the same issue tho ;) Check the CPPM - Monitoring - Access Tracker and Event Viewer Should be some Radius Reject messages there


  • 24.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 10:55 AM

    On Event Viewer :

     

    SourceRADIUS
    LevelWARN
    CategoryAuthentication
    ActionUnknown
    TimestampFeb 15, 2013 16:40:35 CET
    Description

    Ignoring request from unknown client xx.xxx.xx.xxx:xxxxx



  • 25.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 11:05 AM
    That is the typical message you get when the IP address of the radius device is wrong. Does that IP address match the one in your device setup in cppm?


  • 26.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 11:10 AM

    Yes, the VC IP is the same in IAP-105 and in Network-Device in CPPM.

     

    Dimitri



  • 27.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 11:16 AM
    Weekend is here for my part, but I can have a new look on Monday.

    Have a nice weekend Dimitri!


  • 28.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 15, 2013 11:17 AM

    Thanks have nice weekend too.

     

    Dimitri



  • 29.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 06:11 AM

    After the weekend, still the same problem and can't find where is the "bug". Any new idea or something more to check ?

     

    Thanks

     

    Dimitri



  • 30.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 06:20 AM

    Boxcar,

     

    Do you have the ip address in the error setup as a network device in CPPM?

     

     



  • 31.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 06:23 AM

    cjoseph, where is the error setup  in CPPM ? I am not sure of what you talking about.


    Thanks



  • 32.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 06:25 AM

    You said you had an error "Ignoring request from unknown client xx.xxx.xx.xxx:xxxxx"

     

    Do you have that ip address setup as a network device under Configuration> Network> Devices?

     



  • 33.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 06:30 AM

    No I haven't because it's the ip address of the CPPM and CP Guest server. Should I add it under Configuration> Network> Devices?



  • 34.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 06:37 AM

    Boxcar,

     

    Let's start from scratch...

     

    You have CPPM 6.x and IAP-105s, right?

     

    Do you want to do guest self-registration?

     

     



  • 35.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 06:39 AM

    Ok, it will be better.

     

    Right for both questions. I have CCPM 6 and IAP-105. I want to do guest self-registration.



  • 36.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 08:10 AM

    With the help of cjoseph, now everything works fine. So a big thanks to him and others helpers.



  • 37.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 08:11 AM

    So - where was the error?



  • 38.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 08:12 AM

    Error was about a service in CCPM that I didn't configure as attended.



  • 39.  RE: IAP 105 and ClearPass self-registration
    Best Answer

    Posted Feb 18, 2013 08:25 AM

    Specifically, the default Guest Access service, which is supposed to process guest requests has a service rule that says Aruba-Essid-Name should equal "Guest SSID Name".  That guest SSID name is the one that you replace with your actual Guest SSID.  

     

    That is so that it only processes requests from your Guest SSID and nothing else.  Since the default is "Guest SSID Name", it never saw any of Boxcar's requests, until he changed it to the name of his SSID:

     

    guest.PNG



  • 40.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 08:31 AM
    Thanks cjoseph! Hate having a loose end in a thread :)


  • 41.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 08:33 AM

    jsolb,

     

    BOTH of us don't like loose ends to a thread!

     

    Big thanks to Boxcar for his patience!



  • 42.  RE: IAP 105 and ClearPass self-registration

    Posted Feb 18, 2013 08:37 AM

    Big thanks to you both !

     

    Boxcar