I encountered a strange problem with Guest users on one of the site. To set picture correctly, there are numerous sites running on Aruba WLAN infrastructure (7000 Series controllers) with ClearPass serving Captive Portal for Guest access with MAC Caching.
All is working as expected on all "old" sites. We deployed new site few days ago and users are having problems with authentication.
On sites that are workign OK under Summary->Policy Used we have this:
On site with problems:
And Alerts giving:
Endpoints repository obviously has that specific client device marked as "Unknown".
As issues are manifesting on only one site I checked controller configuration and couldn't see any obvious problem (Server Group is as it should be, Even Viewer on CPPM not showing rejected attempts from that NAS...).
Hope someone will recognise cause. Thanks.
I got a device to site to see what is happening. User gets CP displayed as expected, fills in sponsors details, sponsor receives request and approves it, previously greyed out "Login" button is now green, but when user tries to log it is sen to URL "securelogin.arubanetworks.com/cgi-bin/login".
Doing #show datapath session table <IP address of a device> gives me several denied flags (10.134.1.245 is client, 10.17.98.65 is controller):
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags--------------- --------------- ---- ----- ----- -------- ---- --- --- ----------- ---- --------- --------- ---------------10.134.1.245 10.109.3.86 17 49152 9061 0/0 0 0 0 tunnel 51 9 0 0 FDYC10.17.98.65 10.134.1.245 6 8081 63247 0/0 0 0 0 local 4 0 0 FDYC10.134.1.245 10.108.85.24 6 63252 89 0/0 0 0 0 tunnel 51 1 0 0 FDYC10.17.98.65 10.134.1.245 6 8081 63251 0/0 0 0 1 tunnel 51 23 6 312 SI10.134.1.245 10.109.60.6 6 63251 443 1/4101 0 0 1 tunnel 51 23 3 152 NYCI10.134.1.245 184.108.40.206 17 63342 1900 0/0 0 0 0 tunnel 51 b 3 483 FDC
securelogins.arubanetworks.com is the address that ClearPass Guest uses to submit the authentication. This address is the Aruba controller.
Is there any type of firewall between CPPM and the controller?
In your first post, both requests looked normal. The first (old site) was a user login with mac caching, the second (new site) was the original MAC authentication, which failed because the MAC address did not exist in the Endpoints Database. This is a normal process since the MAC would be unknown on initial request, then after login, updated with Guest credentials.
Are you doing the guest access over HTTP or HTTPS? With recent issues surrounding the "securelogins.arubanetworks.com" certificate, HTTPS may be problematic. If HTTPS, can you try doing it over HTTP and see if anything changes?
- Configuration -> Authentication (Uncheck require HTTPS)
- Configuration -> Authentication -> L3 authentication -> Captive portal profile (use HTTP for authentication).
Thanks on your reply, and suggestions. Regarding firewalls, they exist between a site and data centre where CPPM resides, and are administered by third party company. I will check what are they permitting/denying, as that can potentially be source of problem.
Secondly, we are using HTTPS, and though I can change it and try again, I guess our problem lies somewhere else as all the other sites are still working happily on HTTPS.
I will be able to update you on Monday.
Please make sure that you changed the captive portal certificate on the controller. The mentioned securelogin.arubanetworks.com was revoked recently and this may be related to your issue, or if it isn't an issue right it will be one probably.
Check out this page: http://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809
Before investigating deeper, make sure you are not struck by this problem.
With a bit of delay thanks for suggesting cert route (as well as mharing who did the same thing), as that proved to be root cause of our problem!
My guess is that as this site was provisioned couple of days after cert revocation by GeoTrust none of the users were able to use service (though that was limited to smart phone/tablet users, but not to Windows based laptops), while on the sites provisioned before problem was not so widespread.
Great response from Airheads community again, thanks.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.