Security

last person joined: 17 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Trouble with clearpass webauth...

Jump to Best Answer
  • 1.  Trouble with clearpass webauth...

    Posted Jul 07, 2014 08:30 PM

    Setting up a open-ssid to captive portal to a landing page. 

    The landing page has links for guest self-registration, for existing guest/campus users to authenticate

     

    I had this working a while ago on a previous cppm version - wating for summer to deply

     

    Appears Clearpass 6.3 changed things....  rebuilt my clearpass config using ASE tool

    I have it working on my test controller - then I when to copy user-roles - aaa profiles and acl's to another controller....I have problems.

     

     I get redirected to landing page - can follow links.  Auth screen comes up I can auth/self-register - but I'm not getting redirected to the specified page after login or put into the appropriate group on the controller

     

    In access tracker - I see a successful Application auth for my webauth page - but I don't see that successive RADIUS auth that I do on my working test controller.

     

    I can't see what I'm missing.   The critical pieces appear to match aaa profiles, roles etc - but obviously I'm missing something.

     

    Anything to point me in the right direction and show me what I've overlooked will be appreciated.

     

     

    Travis

     

     

     

     



  • 2.  RE: Trouble with clearpass webauth...

    Posted Jul 07, 2014 10:00 PM

    Can you post the access tracker request?



  • 3.  RE: Trouble with clearpass webauth...

    Posted Jul 08, 2014 01:41 AM

    Here is the Application Source access tracker I see - but then is missing the Radius which occurs on the controller this is working on:


    Request Details Summary -
    Session Identifier: W0000002d-01-53bb2dfd
    Date and Time: Jul 07, 2014 16:32:14 PDT
    Username: trschick
    End-Host Identifier:
    Access Device IP/Port: -:-
    Audit Posture Status: UNKNOWN (100)
    System Posture Status: UNKNOWN (100)
    Login Status: ACCEPT

    Policies Used -
    Service: ucd-ucdguest Guest Access Web Login
    Authentication Method: Not applicable
    Authentication Source: UCD LDAP
    Authorization Source: UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
    Roles: [Employee], [User Authenticated]
    Enforcement Profiles: [Allow Application Access Profile]
    Service Monitor Mode: Disabled

    Input Computed Attributes -
    Application:ClearPass:Page-Name = UCDLogin
    Application:Name = WebLogin
    Authentication:Full-Username = trschick
    Authentication:Full-Username-Normalized = trschick
    Authentication:Source = UCD LDAP
    Authentication:Status = User
    Authentication:Username = trschick
    Authorization:Sources = UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
    Connection:Protocol = Application
    Connection:Src-IP-Address = 127.0.0.1
    Date:Date-of-Year = 2014-07-07
    Date:Date-Time = 2014-07-07 16:32:13
    Date:Day-of-Week = Monday
    Date:Time-of-Day = 16:32:13

    Alerts -
    Error Code: 0
    Error Category: Success
    Error Message: Success
    Alerts for this Request -
    WebAuthService: User 'trschick' not present in [Guest User Repository](localhost)

     

    A working Request has a similar Application auth:


    Request Details Summary -
    Session Identifier: W0000002c-01-53bb2dbe
    Date and Time: Jul 07, 2014 16:31:10 PDT
    Username: trschick
    End-Host Identifier:
    Access Device IP/Port: -:-
    Audit Posture Status: UNKNOWN (100)
    System Posture Status: UNKNOWN (100)
    Login Status: ACCEPT

    Policies Used -
    Service: ucd-ucdguest Guest Access Web Login
    Authentication Method: Not applicable
    Authentication Source: UCD LDAP
    Authorization Source: UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
    Roles: [Employee], [User Authenticated]
    Enforcement Profiles: [Allow Application Access Profile]
    Service Monitor Mode: Disabled

    Input Computed Attributes -
    Application:ClearPass:Page-Name = UCDLogin
    Application:Name = WebLogin
    Authentication:Full-Username = trschick
    Authentication:Full-Username-Normalized = trschick
    Authentication:Source = UCD LDAP
    Authentication:Status = User
    Authentication:Username = trschick
    Authorization:Sources = UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
    Connection:Protocol = Application
    Connection:Src-IP-Address = 127.0.0.1
    Date:Date-of-Year = 2014-07-07
    Date:Date-Time = 2014-07-07 16:31:10
    Date:Day-of-Week = Monday
    Date:Time-of-Day = 16:31:10

    Alerts -
    Error Code: 0
    Error Category: Success
    Error Message: Success
    Alerts for this Request -
    WebAuthService: User 'trschick' not present in [Guest User Repository](localhost)

     

    that is then follwed with a Radius Source item:


    Request Details Summary -
    Session Identifier: R000002a0-01-53bb2dcb
    Date and Time: Jul 07, 2014 16:31:23 PDT
    Username: trschick
    End-Host Identifier: 647002071CED
    Access Device IP/Port: 128.120.5.14:0
    Audit Posture Status: UNKNOWN (100)
    System Posture Status: UNKNOWN (100)
    Login Status: ACCEPT

    Policies Used -
    Service: ucd-ucdguest Guest Access
    Authentication Method: PAP
    Authentication Source: Ldap:ldap.ucdavis.edu
    Authorization Source: UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
    Roles: [Employee], [User Authenticated]
    Enforcement Profiles: UCD set UCD-guest role
    Service Monitor Mode: Disabled

    Input RADIUS Attributes -
    Radius:Aruba:Aruba-AP-Group = wls14-test
    Radius:Aruba:Aruba-Device-Type = Win Vista
    Radius:Aruba:Aruba-Essid-Name = ucd-guest-wls14
    Radius:Aruba:Aruba-Location-Id = 00-ap105-test
    Radius:IETF:Called-Station-Id = 000B8661F51C
    Radius:IETF:Calling-Station-Id = 647002071CED
    Radius:IETF:Framed-IP-Address = 128.120.101.74
    Radius:IETF:NAS-IP-Address = 128.120.5.14
    Radius:IETF:NAS-Port = 0
    Radius:IETF:NAS-Port-Type = 19
    Radius:IETF:Service-Type = 1
    Radius:IETF:User-Name = trschick

    Input Computed Attributes -
    Authentication:ErrorCode = 0
    Authentication:Full-Username = trschick
    Authentication:Full-Username-Normalized = trschick
    Authentication:MacAuth = NotApplicable
    Authentication:OuterMethod = PAP
    Authentication:Posture = Unknown
    Authentication:Source = UCD LDAP
    Authentication:Status = User
    Authentication:Username = trschick
    Authorization:Sources = UCD LDAP Blacklist, UCD LDAP Public, UCD LDAP
    Connection:AP-Mac =
    Connection:Client-Mac-Address = 647002071CED
    Connection:Client-Mac-Address-Colon = 64:70:02:07:1c:ed
    Connection:Client-Mac-Address-Dot = 6470.0207.1ced
    Connection:Client-Mac-Address-Hyphen = 64-70-02-07-1c-ed
    Connection:Client-Mac-Address-NoDelim = 647002071ced
    Connection:Client-Mac-Vendor = TP-LINK TECHNOLOGIES CO., LTD.
    Connection:Dest-IP-Address = 128.120.128.152
    Connection:Dest-Port = 1812
    Connection:NAD-IP-Address = 128.120.5.14
    Connection:Protocol = RADIUS
    Connection:Src-IP-Address = 128.120.5.14
    Connection:Src-Port = 33890
    Connection:SSID = ucd-guest-wls14
    Endpoint:Guest Role ID = 2
    Endpoint:social_args = {"page_name":"Social_Login","oauth":"facebook","state":"1404401443-a9020c","code":"AQDh6_5WOBH0SE7fSdQh5XF8YvYAl4b5lNiBMLJl1MEXNBdaCHgr5xZTff85r8zdq8X7FxcDB08Wo7n9AzfDGZoqNQYXR-PyvpwKgdeIhKoUflfFHimuaSpsY0DRuJ13Kw4iy45vAQAVUO4CYGWOJRBIVfr6I37IYk95zgqCUUgR0neH83bZJE-BesOAxdeLRS3f1kGpt55yVCWJJp-KtcnKYKh_BYKTHY3yXcZYcWRvPN758xKDEUkNrukx-nYLGwbMnXVBJIBQOPd5leMhyQkPShhpBCiRgF2QPJ6aSwXxElbvxdAgk5gi7j_Ol_V_cyg"}
    Endpoint:social_json = {"id":"100000462021539","email":"trschick@gmail.com","first_name":"Travis","gender":"male","last_name":"Schick","link":"https:\\/\\/www.facebook.com\\/travis.schick.7","locale":"en_US","name":"Travis Schick","timezone":-7,"updated_time":"2014-02-17T05:51:46+0000","username":"travis.schick.7","verified":true}
    Endpoint:social_method = facebook
    Endpoint:social_password = ********  #had overwritten before... but this should make it clear 
    Endpoint:social_timestamp = 1404401471
    Endpoint:social_username = trschick@gmail.com
    Endpoint:social_vip =
    Endpoint:Username = trschick

    Output RADIUS Attributes -
    Radius:Aruba:Aruba-User-Role = UCD-guest

    Accounting Details -
    Account Session ID: trschick647002071CED-17
    Start Timestamp: Jul 07, 2014 16:31:24 PDT
    End Timestamp: Jul 07, 2014 18:01:45 PDT
    Status: InActive
    Termination Cause: Session-Timeout
    Service Type:
    Number of Authentication Sessions: 1

    Network Details -
    NAS IP Address: 128.120.5.14:0
    NAS Port Type: Wireless-802.11
    Calling Station ID: 647002071CED
    Called Station ID: 000B8661F51C
    Framed IP Address: 128.120.101.74
    Account Auth:

    Utilization -
    Active Time: 5421 secs
    Account Delay Time: 0
    Account Input Octets: 96414691
    Account Output Octets: 47121439
    Account Input Packets: 150435
    Account Output Packets: 135752

    Authentication Session Details -
    Session ID: R000002a0-01-53bb2dcb
    Type: Start
    Date/Time: Jul 07, 2014 16:31:24 PDT



  • 4.  RE: Trouble with clearpass webauth...

    Posted Jul 07, 2014 10:29 PM

    A couple things to check:

     

    • On the controller's captive portal profile, check that the correct RADIUS server group is referenced.
    • On CPPM, check Monitoring -> Event Viewer.  Two message you might see here.  One is if CPPM is ignoring requests from your controller (NAD device hasn't been added) and the second is if the shared secret is wrong.

    You can also test RADIUS authentication on the controller from Diagnostics -> Network -> AAA Test Server.



  • 5.  RE: Trouble with clearpass webauth...

    Posted Jul 08, 2014 01:57 AM

    The correct RADIUS server group is referenced.

     

    On the CPPM I'm not getting any errors when I attempt an authentication.... I wish I was!

    I have successfully tested Auth from the controller using the Diag test

     

    The controllers are part of a common subnet - that has been added to the CPPM

     

    From reading I gathered that having a landing page that then links to a login page - can create issues.... its why I need to configure a application auth service... and that the application auth should then be followed by a radius auth in normal operation.... that clearpass is in the background making sure mac address, etc..  is getting passed internally as needed.   Don't recall addressing this on the controller config - but  I'm not clear on the issue.... I'm looking at my aaa profiles and user-roles, but I think I'm missing something that I don't think is related



  • 6.  RE: Trouble with clearpass webauth...

    Posted Jul 08, 2014 03:19 AM

    I am not all that familiar with social media logins yet.  That being said, have you whitelisted facebook on the captive portal login role?

    facebook.com

    m.facebook.com

    fbstatic-a.akamaihd.net



  • 7.  RE: Trouble with clearpass webauth...

    Posted Jul 08, 2014 04:03 AM

    Yes, but for these access attempts I was not using a social media auth.... I'm guessing that just  gets stored in the endpoints db from a previous auth attempt



  • 8.  RE: Trouble with clearpass webauth...

    Posted Jul 08, 2014 09:07 AM
    What authentication method are you using in the service and the layer 3 authentication profile ?

    PAP , MSCHAP ?


  • 9.  RE: Trouble with clearpass webauth...

    Posted Jul 08, 2014 01:16 PM

    I have PAP and MSCHAP specified.   Currently allowing local guest accounts (PAP) or using LDAP (MSCHAP hashes)



  • 10.  RE: Trouble with clearpass webauth...
    Best Answer

    Posted Jul 08, 2014 12:15 PM

    In that case, a few new things to check.

     

    Are you doing Controller-Initiated or Server-Initiated for the Web Login's "Login Method"?  

     

    If Controller-Initiated, I assume you are using securelogin.arubanetworks.com as the "Web Address" and "Vendor Default" as the "Secure Login Method".  Does your controller have a different public server certificate where the controller's hostname would be overriden?  To test, connect a PC/MAC to the SSID and try to resolve securelogin.arubnateworks.com.  If it's not your controller, the controller's hostname has been changed with a new certificate.

     

    If Server-Initiated, a few questions?

    • RFC-3576 configured on the new controller with the correct shared secret?
    • Anything in the firewall that might be blocking RFC-3576?  UDP port 3799.

    I don't suspect it has anything to do with having an initial landing page that branches off to other CPG pages.  Unless, that landing page isn't hosted by CPG?  CPG retains the controller-passed values betweeen CPG page navigations.

     

    You may want to have support do a rundown of your AOS+CP config since there are a lot of small knobs that might be off which would lead to this problem.  I've listed only a few.



  • 11.  RE: Trouble with clearpass webauth...

    Posted Jul 08, 2014 01:34 PM


    @rmehra wrote:

    In that case, a few new things to check.

     

    Are you doing Controller-Initiated or Server-Initiated for the Web Login's "Login Method"?  

    ---

    Controller Initiated 

    ---

    If Controller-Initiated, I assume you are using securelogin.arubanetworks.com as the "Web Address" and "Vendor Default" as the "Secure Login Method".  Does your controller have a different public server certificate where the controller's hostname would be overriden?  To test, connect a PC/MAC to the SSID and try to resolve securelogin.arubnateworks.com.  If it's not your controller, the controller's hostname has been changed with a new certificate.

     ---

    Correct,  I have a wildcard cert installed.   securelogin.arubanetworks.com does not resolves, nor does captiveportal.<domain of wildcard>

    ***correction***

    I do get redirected if I use captiveportal-login.<domain of wildcard) - which is the actual name the controller presents when it has a wildcard cert installed.

     

    updated the web loging in CPG to use this instead of securelogin.arubanetworks.com.....   so now I get redirected back to the landing page... instead of failing on securelogin.arubanetworks.com on the controllers my config is not working on.... so that is.... better?

    *update* it is better.... some underlying ldap bingin failures resulted in failed auth attempt and going back to landing page...

    --- 

    If Server-Initiated, a few questions?

    • RFC-3576 configured on the new controller with the correct shared secret?
    • Anything in the firewall that might be blocking RFC-3576?  UDP port 3799.

    ---

    I tried with server initiated... but that didn't work - though it sounds like the option I'd want since I'm using a landing page and having the user browse to the Web Login?

    ---  

    I don't suspect it has anything to do with having an initial landing page that branches off to other CPG pages.  Unless, that landing page isn't hosted by CPG?  CPG retains the controller-passed values betweeen CPG page navigations.

     ---

    CPG is hosting the landing page

    --- 

    You may want to have support do a rundown of your AOS+CP config since there are a lot of small knobs that might be off which would lead to this problem.  I've listed only a few.

    --- 

    I am following up with support - but also trying to see if there's anything else I can try in the mean time.

    ---


     



  • 12.  RE: Trouble with clearpass webauth...

    Posted Jul 08, 2014 04:08 PM

    "CERTS!!!!"      In the best Khan-esque impression I can muster

     

    So my test box was using a old outdated ssl cert for captive portal  (must have restored from an old config a while back - since i had the current certs installed as well)  Never saw this as a problem... since cppm had current cert so the client web browser was always happy....

     

    So even though the expired cert was still a wildcard - and even though it was expired.... the process worked

    So I then assumed my clearpass config was good and that the trouble was on the controllers I was attempting to configure with the new captive portal....

     

    The true problem was the server address on CPG - since I had a wildcard cert I needed to use captiveportal-login NOT securelogin

    so not really a cert issue.... but definately weird that outdated certs resulted in a misconfiguration on CPG to work.

     

    Thank you rmehra - having me double-check that server address got me thinking on wildcard cert issues and checking