Wired Intelligent Edge

last person joined: yesterday 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

MAS 7.3 not redirecting to Clearpass Guest

Jump to Best Answer
This thread has been viewed 1 times
  • 1.  MAS 7.3 not redirecting to Clearpass Guest

    Posted Aug 19, 2014 11:22 PM



    I'm working through a configuration in my lab with a MAS S3500 running and Clearpass. I'm trying to put together one of those configs that has everything working - it makes it easier to copy and paste when I'm with a customer. I should have gotten around to this a while ago, but better late than never!


    I have been able to get 802.1x, Mac auth, and 802.1x + Mac auth working without too much of an issue. The problem that I'm running into really seems basic, but I'm currently at a loss. 


    The problem occurs when I attempt I'm placed in the captive portal role and I attempt to go to the Clearpass Guest page. I've tried it on three different browers and they all hang. I can manually enter the URL from the login page and it works without issue, exactly what I expect. It "feels" like the problem on the ArubaOS side when you don't have an ACL specifically for Clearpass in your Captive Portal role. On the MAS side, you'll see below that there is a netdestination that allows traffic to my CPPM server.


    I have the following user role in the MAS config:


    user-role ToP-CPPM-Guest-CP
       vlan 18
       captive-portal "ToP-CPPM-Portal"


    Here's the captive portal config:


    aaa authentication captive-portal "ToP-CPPM-Portal"
       default-role "authenticated"
       server-group "Clearpass"
       login-page ""


    Here's the AAA config:


    aaa profile "ToP-Guest-AAA-Profile"
       initial-role "ToP-CPPM-Guest-CP"
       authentication-mac "ToP-Mac-Auth"
       mac-default-role "authenticated"
       mac-server-group "Clearpass"
       radius-accounting "Clearpass"


    Here's the port configuration:


    interface gigabitethernet "0/0/38"
       mstp-profile "ToP-BPDU-Guard"
       lldp-profile "lldp-factory-initial"
       poe-profile "poe-factory-initial"
       aaa-profile "ToP-Guest-AAA-Profile"
       description "Captive Portal with Caching port"
       switching-profile "ToP-Access"
       no trusted port


    When I connect to port gig0/0/38, there's a MAC Auth / Caching error in Access Tracker, as expected, and then I'm placed in the correct role in the user-table:

   40:6c:8f:36:de:44  40:6c:8f:36:de:44  ToP-CPPM-Guest-CP  00:00:15    No    Wired       0/0/38     ToP-Guest-AAA-Profile  18 (18)


    A view of the station table show the following:


    (ToP-S3500) #show station-table mac 40:6c:8f:36:de:44

    Association Table
    BSSID IP Essid AP name Phy Age
    --------------- ----------- ------- ------- --- ---
    01:80:c2:00:00:03 N/A - b 00:00:16


    A show rights on the role shows the correct settings:


    (ToP-S3500) #show rights ToP-CPPM-Guest-CP

    Derived Role = 'ToP-CPPM-Guest-CP'

    Assigned VLAN = 18
    Periodic reauthentication: Disabled
    ACL Number = 39/0/40
    Captive Portal profile = ToP-CPPM-Portal
    access-list List
    Position Name Type Location
    -------- ---- ---- --------
    1 ToP-CPPM-Portal stateless
    Priority Source Destination Service Action TimeRange Log Expired QoS Policer Blacklist Mirror IPv4 Nexthop
    -------- ------ ----------- ------- ------ --------- --- ------- --- ------- --------- ------ ---- -------
    1 user ToP-CPPM-Portal-allow-ip svc-http permit 4
    2 any any svc-http dst-nat 8080 4
    3 any any svc-https dst-nat 8081 4
    4 any any svc-dns permit 4
    5 any any svc-dhcp permit 4
    Expired Policies (due to time constraints) = 0


    (ToP-S3500) # show netdestination ToP-CPPM-Portal-allow-ip

    Position Type IP addr Mask-Len/Range
    -------- ---- ------- --------------
    1 host 32


    I'm just at a loss on this one. I feel like there's some knob that I'm missing and I'm sure it's going to be a eureka moment when it's pointed out. 


    Thanks for all of the help!



  • 2.  RE: MAS 7.3 not redirecting to Clearpass Guest

    Posted Aug 19, 2014 11:28 PM
    Does vlan 18 have a layer 3 interface on the switch?

  • 3.  RE: MAS 7.3 not redirecting to Clearpass Guest

    Posted Aug 19, 2014 11:42 PM

    Hey Tim,


    Nope, it's a L2 interface trunked down to the switch. I'm using it as a general purpose VLAN for all the user facing ports.


    There are two VLANs, 18 and 172, that are trunked to the S3500. They run upstream to a Juniper SRX that holds the gateways for the 18 and 172 VLANs.



  • 4.  RE: MAS 7.3 not redirecting to Clearpass Guest
    Best Answer

    Posted Aug 19, 2014 11:46 PM
    You need to add an RVI for that VLAN on the stack in order for redirection to occur.

  • 5.  RE: MAS 7.3 not redirecting to Clearpass Guest

    Posted Aug 20, 2014 08:26 AM



    Thanks - that's the bonus of a fresh pair of eyes! It worked like a charm when I tried this morning.