Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Guest - Sponsor lookup

Jump to Best Answer
  • 1.  Clearpass Guest - Sponsor lookup

    Posted Aug 05, 2013 07:52 AM

    Has anyone had success in getting sponsor lookup working?

     

    I'm trying to do what I would assume must be a pretty common configuration: to save the guest from needing to know their sponsor's e-mail address by allowing then to start typing the name of an employee in our organisation, and have the self-registration page auto-complete with a list of matching names from AD and then use the e-mail address for the "sponsor_email" field.

     

    The functionality seems rather confused an not well documented.

     

    Progress so far:

    AUTHENTICATION SERVER (Guest->Adminstration->Operator logins->Server)

    Server Type:MS Active Directory

    User search Display Attributes:

         mail = id
         displayName = text

    Sponsor lookup atribute mapping:

         sponsor_name | displayName
         sponsor_email | mail     
         sponsor_lookup | mail

     

    This seems to work and can lookup names in our AD and return e-mail addresses.

     

    SELF-REGISTRATION PAGE (Guest->Configuration->Guest self-registration->Register page Form)

    replaced "sponsor_email" field with "sponsor_lookup"

    In advanced properties of this form:

    Select2 Options: ajax.args.server = [name of authentication server above]

     

    This also works. When I test the form itself from a PC on our LAN. It looks up the name, shows that display name and sends the request to the corresponding e-mail address.

     

    HOWEVER, when testing wireless access using the access point and captive portal process itself, the page shows but lookup seems to hang without returning anthing. The ajax control just shows "Searching..." with the animated rotating icon forever.

     

    I have the AP security set to use a pre-authentication role but for testing I've opened this to access to anything so I don't think the problem is AP security.

     

    Oddly, if I type the full url of the self-registration page (https:[ClearpassIP]/guest/self_reg_page.php) into the browser of the wireless device, the lookup DOES return results. It's just when the page is redirected as part of the captive portal process that the lookup seems to hang.

     

    Any suggestions, or general tips of getting sponsor lookup for self-registration working would be a HUGE help!

     

     

     



  • 2.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 05, 2013 03:33 PM

    Are you seeing any certificate errors or other issues when loading the page?

     

    From your description, it seems like you have the sponsor lookup function configured correctly and working as intended.

     

    Check that your captive portal redirect URL includes the proper hostname for the CPPM server.  Also check that the CPPM server certificate matches this hostname.

     

    If you suspect an SSL issue, you can try turning off HTTPS and using regular HTTP – this should work without any issues.



  • 3.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 07, 2013 09:41 AM

    Did you actually find a doc somewhere that explained this?  I've searched the manual but could not find anything en the release notice that mention this have no detail whatsoever.

     

    Earlier I did find about lookup of airgroup lookups which had a bunch more setting in the select2 options and select2 hook fields. http://community.arubanetworks.com/t5/Video/Video-ClearPass-Advanced-Configuration-Topics/ta-p/84424

     

    Now regardless of using your 'basic' config or the added select2 stuff.. it simply won't look anything up.

    I'm guessing the authentication server is configured properly since I can perform a search and find everything I want. When I do a lookup however I always receive an error.



  • 4.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 08, 2013 06:30 PM

    In 6.2, we made this easier with a new field you can use in the sponsored registration called "sponsor_lookup".  Use that vs. spnsor_name in the registration form.  

     

    This is reliant on an LDAP lookup into AD or directory.

     

    Screen Shot 2013-08-08 at 6.24.31 PM.png



  • 5.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 09, 2013 08:20 AM
    I forgot to mention that you must add your active directory or other LDAP server in the administration section.


  • 6.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 09, 2013 08:24 AM

    Thanks, but the ldap server is active.

    When I do a 'test lookup' there and select 'search' I get results. When I select 'lookup' however  I always get the same 'error':

    array (
    'error' => 1,
    'errors' =>
    array (
    8 =>
    array (
    'error' => 1,
    'message' => 'Lookup failed',
    ),
    ),
    )

     

     

    Have opened a TAC case to get to the bottom of it.



  • 7.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 09, 2013 09:56 AM

    koenv, if it helps, I don't think this lookup test is necessary for the sponsor lookup to work.

     

    My sponsor lookup is working, but I am getting the same error as you when I try a test lookup in the LDAP server set up:

     

    Test: Perform a lookup test

    Search mode: Perform a lookup ----> FAILS

    Search mode: Perform a search----> SUCCESS

     

     



  • 8.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 13, 2013 05:58 AM

    Here's the screen shots of the problem I'm getting with sponsor lookup. 

    My best guess is that it's caused by a problem with the way the ajax control is written that causes the lookup to fail if the page was loaded due to a captive portal redirection.

     

    1. WITH CAPTIVE PORTAL REDIRECTION

    A wireless client connects to the SSID, tries to browse to a web page and is redirected to self-regitration.

    (note the address bar shows the intended URL)

     

    lookup1.png

     

    Lookup just hangs and the browser  (in this case IE8 but I've tested with IE9, Chrome and firefox) shows a page error.

    The error, bottom left, is:

     

    lookup2.png

     

    Line 876 in the page's source is:

    x.open(request_type, uri, true);

     

    2. WITHOUT CAPTIVE PORTAL REDIRECTION

    Same wireless client.

    Having hit this error, if I manually type the true URL of the self-registration page:

    (note the address bar now shows the true self-reg URL)

     

    lookup3.png

     

    It works. No page error!

     

    Any suggestions for what I can change myself to get captive portal sponsor lookup working?

     



  • 9.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 13, 2013 12:21 PM

    Update.

     

    The only workaround I can find for this issue is for captive portal redirection to point to the login page, rather than the self-registration page, first.

     

    Then the guest must click a link to get to the self-registration page (that contains this ajax sponsor lookup control).

     

    In doing this, the URL in the address bar matches the true page address and lookup works.



  • 10.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 13, 2013 01:49 PM

    What is the captive portal you are using?  Are you using Aruba Instant?



  • 11.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 13, 2013 05:48 PM

    Yes, Aruba Instant.



  • 12.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 14, 2013 04:00 AM

    just a quick FYI, managed to get my field working by going back to the default skin. Apparantly the custom skin screwed up showing the dynamic part of the lookup field. Now running into the same issue as http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Clearpass-Guest-log-in-error-after-sponsor-lookup/td-p/91926

     



  • 13.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 14, 2013 04:11 AM

    Thanks koenv. Yes, that second problem is me too.

    Good to know I'm not the only one struggling to get sponsor lookup working.

    Hopefully a patch or update will remedy the problem soon.



  • 14.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 14, 2013 04:15 AM

    "The Sponsor Name lookup works in the Guest Registration page but when we try to click on login we were getting an error, “-:NwaLdapSponsorUserSearchAjax not callable" . We have opened a bug # 17021 and as per the bug tracker, the issue will be resolved with the next patch but ETA is currently not available. I shall get back to you whenever I have the Release date."



  • 15.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 26, 2013 04:35 AM

    from TAC:

    "The patch that contains the fix for this case is due to be released on Sept 11, 2013. "



  • 16.  RE: Clearpass Guest - Sponsor lookup
    Best Answer

    Posted Sep 13, 2013 05:59 PM
    Just a FYI 6.2 patch 1 was released today and it fixes the issue with sponsor lookup.


  • 17.  RE: Clearpass Guest - Sponsor lookup

    Posted Sep 16, 2013 05:40 AM

    Confirmed. After applying the patch. This problem is solved.



  • 18.  RE: Clearpass Guest - Sponsor lookup

    Posted Aug 09, 2013 09:49 AM

    Thanks for your replies.

     

    I have the sponsor_lookup field working, the steps I took to get there are described in my first post.

     

    First question: Is there no documentation for the use of this new field - and sponsor lookups in general? It took a lot of trial and error to get there which could have been avoided with some decent tech notes.

    Sounds like this would help koenv too.

     

    Second question: going back to my original problem, I have the sponsor lookup working perfectly when I test it from a LAN connected computer by going to the URL https:[ClearpassIP]/guest/self_reg_page.php

     

    However, when I test it on an actual wireless client, the browser is correctly redirected to the captive portal page, everything looks fine, BUT....

    the sponsor lookup just hangs on search, without finding anything.

    At this point, the address showing in the browser's address bar, is the user's intended page, e.g. www.google.com

     

    the really strange thing is that if I change this to https:[ClearpassIP]/guest/self_reg_page.php, the captive portal page reloads with no apparent difference BUT...

    the sponsor lookup now works!

     

    So why isn't it working on captive portal redirection?

     

    I think I have eliminated the possibility this could be due to a restriction on the controller. We are using Instant APs. The Virtual controller is set as follows (weakened security for testing):

     

    ---------------------------------------

    3. Security

    Splash: External RADIUS Authentication

    Auth server: clearpass

    Re-auth internal: 0 hrs

    Accounting: Enabled

    Acc int. 10 mins

    Blacklisting: Disabled

    Encryption: enabled

    WPA-2 8-63 chars

    External splash: [clearpassIP]

    URL: /guest/self_reg_page.php

    port: 80

    capt portal failure: deny internat

    automatic whitelisting: disabled

     

    4. Access

    Unrestricted

    ---------------------------------------

     

    So is there something I can change in Clearpass manager (maybe Configuration->Services->Guest Access - Web Login Pre-Auth??)

    or something in Clearpass Guest that I can change to get this working?