I am still confused with ClearPass and I haven't found an answer in the doc or here. So here is what I would like to do :
In ClearPass, I have set up a self-registration (works but don't now about the NAS login, could it be done with ClearPass) and now I need that when connecting to the IAP, the visitor is redirect to this self-registration. I have read about radius, NAS, ... but I am a bit lost.
Anyone can give me an overlook of what to do ?
Never done this with an IAP before, but I would assume it's the same procedure as normal.
Are you using CPPM or plain CP Guest (Amigopod)?
First add the CPPM server as Radius server in the IAP.
On CPPM create the IAP as a Radius Device (Configuration/Network/Device)
Use the same shared secret and make sure you have the correct ip of the IAP when entering this in CPPM.
That should be enough to get the IAP and CPPM talking.
Now - edit your self-registration.
Click the NAS Vendor Settings tab
Check for "Enable guest login for a NAS"
Think most of the stuph here should still be valid.. Google for Amigopod-AOS-Integration-AppNote.pdf - select the pdf that is hosted on arubanetworks.com.
Let me know if this helps you or what you get stuck on and I'll try to elaborate..
Thanks for this first reponse. I am using plain CP Guest, can I follow your prodecure or is it diffrent from using CCPM ?
Then that document is even more valid.
On CP Guest you create the IAP as NAS device under the Radius/NAS List tab.
When you try to authenticate with it check the logs under Support/System logs and you should be able to see what IP address the IAP tries to access with..
On CP Guest, I don't find Radius/NAS List tab. The document is totally diffrent of what I am seeing in CP Guest, I can't match the informations.
I got ClearPass Guest 22.214.171.12410.
Ok thanks, so I use your first post procedure ?
Here is where I am now :
First add the CPPM server as Radius server in the IAP => ok but do I need to open the ports 1812 and 1813 on my CPPM server ?
On CPPM create the IAP as a Radius Device (Configuration/Network/Device) => ok done and if I have more IAP, do I need to do the same for each or is there an other fast way ?
Use the same shared secret and make sure you have the correct ip of the IAP when entering this in CPPM. => ok
That should be enough to get the IAP and CPPM talking => Not working now
Thanks for your help.
Hehe – I see and understand your troubles…
=> ok but do I need to open the ports 1812 and 1813 on my CPPM server ?
What kind of link do you have? If the CPPM is behind a firewall/NAT device you will have to make sure UDP 1812/1813 and TCP 80/443 are reachable.
The IAP needs Radius access to your CPPM server so those ports needs to be reachable
The clients on the IAP need http/https connection to the CPPM so that too needs to be reachable through the link you have – which is internet?
The CPPM needs a route back to the client through the IAP.
=> ok done and if I have more IAP
Yes you will add each of them - assuming those IAP’s are on other locations and then not a part of the IAP “cluster”.
=> ip address: the ip of the radius device (IAP) => what about if I need to do this with multiple IAP ?
Well – in a multiple controller scenario you would click the Dynamic address field “The Controller will send the IP to submit credentials”. Input also which address that are allowed.
How can I check that the IAP and CPPM are talking ? I think the problem is here.
Thanks John, it helps me to go further.
So I have open the right ports on the firewall. No when I connect to the WLAN, I can see on the address field :
But I don't see the login page, only "connexion has been interupted".
What is the missing thing ? I think I am close to the end but some problems are still here.
Thanks again John.
I have found the solution, it was this : unchecked "Require HTTPS for guest access checkbox".
Now I can create a new user and log in. But it leads to an other issue. After the login, I went on a webpage with a 1 on the upper left and on the adress bar : http://adressofthevc/cgi-bin/login.
What I am doing wrong now ?
When does this happen?
Do you login from a device connected to the SSID on the IAP?
How does the captive portal profile on the controller look like?
It happends when I log in to the SSID of the IAP with my laptop for example.
How does the captive portal profile on the controller look like? => Where can I check this ?
An other little issue (I am logged on the SSID of the IAP) is that when I am typing for example www.google.com, it's added an "https" and get an error in the browser. If I remove the "s" on https, no problem, I can log on normally. Any idea ?
About my "after" login problem, I think it's about this : when I look at my connected user in the IAP, his role is : External CP. Is it correct to have this ?
One more information, when I connect on my IAP as a guest on wifi and go check the alerts on lan, here is what I see :
"The AP cannot authenticate this client using 802.1x because the RADIUS server did not respond to the authentication request".
One more question, do I need to configure something else in CCPM ? For example a service ? I think something is missing but I can't find what.
I got this working on my lab.
Now - in my setup there is no firewall between the IAP and the Clearpass so all traffic is allowed between them.
You will need to open traffic on ports TCP 80/443, UPD 1812/1813 and UDP 3799 (for CoA).
I'm running software 126.96.36.199-
I'll just run through the highlights..
On the IAP:
Settings / General /
New Network (or edit existing)
1. WLAN Settings
IP assignment: VC assigned (atleast in my scenario)
3. Security (what I don't mention leave at default value)
When testing just select Unrestricted at first.
One you got it running, adjust the role and access rules as you want.
Create the IAP as a Radius Device using the VC IP and shared secret as previously entered
Now - this next part I'm not able to get as I want. Mobility Controllers send their IP address in the URL as "switchip". This way you can have multiple Controllers using the same login/self-registration by checking the "The controller will send it's IP to submit credentials". This basically redirects the client back to the NAS device to try to login with the credentials supplied.
The IAP however sends "securelogin.arubanetworks.com" with https using the built-in ssl certificate. That might be ok, but it's just different. My IPad didn't complain tho - so it might be ok..
On CP Guest
Edit or create a new login/self-registration
NAS login section
And .. That should be it..
Thanks for the time taken on this, everthings is configured exactly the same as you have written but I am still blocked after the login. Now I have this page :
https://securelogin.arubanetworks.com/cgi-bin/login and a number in the page
Any idea ?
Sorry but where can I find the log ?
How to set up this : external radius authentication which was checked before the CP local db ?
On Event Viewer :
Ignoring request from unknown client xx.xxx.xx.xxx:xxxxx
Yes, the VC IP is the same in IAP-105 and in Network-Device in CPPM.
Thanks have nice weekend too.
After the weekend, still the same problem and can't find where is the "bug". Any new idea or something more to check ?
Do you have the ip address in the error setup as a network device in CPPM?
cjoseph, where is the error setup in CPPM ? I am not sure of what you talking about.
You said you had an error "Ignoring request from unknown client xx.xxx.xx.xxx:xxxxx"
Do you have that ip address setup as a network device under Configuration> Network> Devices?
No I haven't because it's the ip address of the CPPM and CP Guest server. Should I add it under Configuration> Network> Devices?
Let's start from scratch...
You have CPPM 6.x and IAP-105s, right?
Do you want to do guest self-registration?
Ok, it will be better.
Right for both questions. I have CCPM 6 and IAP-105. I want to do guest self-registration.
With the help of cjoseph, now everything works fine. So a big thanks to him and others helpers.
So - where was the error?
Error was about a service in CCPM that I didn't configure as attended.
Specifically, the default Guest Access service, which is supposed to process guest requests has a service rule that says Aruba-Essid-Name should equal "Guest SSID Name". That guest SSID name is the one that you replace with your actual Guest SSID.
That is so that it only processes requests from your Guest SSID and nothing else. Since the default is "Guest SSID Name", it never saw any of Boxcar's requests, until he changed it to the name of his SSID:
BOTH of us don't like loose ends to a thread!
Big thanks to Boxcar for his patience!
Big thanks to you both !
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.