Security

Hello Community,

I have built a Lab as follows.
An Aruba IAP315 is attached to an Aruba CX6200F switch, the switch is connected to a 4G router. The IAP and the switch are managed by Aruba Central, which works great.
We have a Clearpass server in one of our data centers, there is a router there, it has a VPN connection to the 4G router. The VPN connection also works without problems.
More details on the picture in the attachment.

I have configured a guest ssid via Central on the iap. When you login to the ssid, you are redirected to the Clearpass login page.
But when you log in, you don't get any further, after logging in via the Catpive portal the redirect doesn't work anymore.
The Clearpass still contains securelogin.arubanetworks.com.
I can't see anything in the Clearpass access tracker.

Maybe someone has an idea what I am doing wrong.

Thanks a lot


------------------------------
Tobias
------------------------------

The factory shipped certificate is self signed and will cause issues. Ideally you need to replace this with a publicly signed certificate on both the CPPM + IAP. You'll also need to ensure that the NAS Login Settings also match the CN of the Certificate installed on the IAP.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/Guest/Content/Configuration/EnablingAndEditingNASLoginProperties.htm

------------------------------
Craig Syme
------------------------------

Original Message:
Sent: Jun 11, 2021 04:14 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hello Community,

I have built a Lab as follows.
An Aruba IAP315 is attached to an Aruba CX6200F switch, the switch is connected to a 4G router. The IAP and the switch are managed by Aruba Central, which works great.
We have a Clearpass server in one of our data centers, there is a router there, it has a VPN connection to the 4G router. The VPN connection also works without problems.
More details on the picture in the attachment.

I have configured a guest ssid via Central on the iap. When you login to the ssid, you are redirected to the Clearpass login page.
But when you log in, you don't get any further, after logging in via the Catpive portal the redirect doesn't work anymore.
The Clearpass still contains securelogin.arubanetworks.com.
I can't see anything in the Clearpass access tracker.

Maybe someone has an idea what I am doing wrong.

Thanks a lot


------------------------------
Tobias
------------------------------

Hi,

ok i thought that might be the problem....
I have the same certificate from clearpass portal.xy.de also uploaded in Central via Global, Organizations, Certificates, how can I assign the certificate in Central to a group or an IAP, or is that automatic?

So in clearpass I have to replace securlogin.arubanetworks.com with portal.xy.de, right?

Thanks a lot

------------------------------
Tobias
------------------------------

Original Message:
Sent: Jun 11, 2021 04:59 AM
From: Craig Syme
Subject: Central managed IAP guest captive portal clearpass redirect problem

The factory shipped certificate is self signed and will cause issues. Ideally you need to replace this with a publicly signed certificate on both the CPPM + IAP. You'll also need to ensure that the NAS Login Settings also match the CN of the Certificate installed on the IAP.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/Guest/Content/Configuration/EnablingAndEditingNASLoginProperties.htm

------------------------------
Craig Syme

Original Message:
Sent: Jun 11, 2021 04:14 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hello Community,

I have built a Lab as follows.
An Aruba IAP315 is attached to an Aruba CX6200F switch, the switch is connected to a 4G router. The IAP and the switch are managed by Aruba Central, which works great.
We have a Clearpass server in one of our data centers, there is a router there, it has a VPN connection to the 4G router. The VPN connection also works without problems.
More details on the picture in the attachment.

I have configured a guest ssid via Central on the iap. When you login to the ssid, you are redirected to the Clearpass login page.
But when you log in, you don't get any further, after logging in via the Catpive portal the redirect doesn't work anymore.
The Clearpass still contains securelogin.arubanetworks.com.
I can't see anything in the Clearpass access tracker.

Maybe someone has an idea what I am doing wrong.

Thanks a lot


------------------------------
Tobias
------------------------------

Once you've uploaded the IAP Cert to Central (which you have already) go to Security -> Certificate usage where you assign the certificate to the Captive Portal. That is correct, under your Vendor Settings on the CPPM Guest page, where it says IP Address you'd add the CN of the Certificate you uploaded to the IAP.



------------------------------
Craig Syme
------------------------------

Original Message:
Sent: Jun 11, 2021 05:24 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hi,

ok i thought that might be the problem....
I have the same certificate from clearpass portal.xy.de also uploaded in Central via Global, Organizations, Certificates, how can I assign the certificate in Central to a group or an IAP, or is that automatic?

So in clearpass I have to replace securlogin.arubanetworks.com with portal.xy.de, right?

Thanks a lot

------------------------------
Tobias

Original Message:
Sent: Jun 11, 2021 04:59 AM
From: Craig Syme
Subject: Central managed IAP guest captive portal clearpass redirect problem

The factory shipped certificate is self signed and will cause issues. Ideally you need to replace this with a publicly signed certificate on both the CPPM + IAP. You'll also need to ensure that the NAS Login Settings also match the CN of the Certificate installed on the IAP.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/Guest/Content/Configuration/EnablingAndEditingNASLoginProperties.htm

------------------------------
Craig Syme

Original Message:
Sent: Jun 11, 2021 04:14 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hello Community,

I have built a Lab as follows.
An Aruba IAP315 is attached to an Aruba CX6200F switch, the switch is connected to a 4G router. The IAP and the switch are managed by Aruba Central, which works great.
We have a Clearpass server in one of our data centers, there is a router there, it has a VPN connection to the 4G router. The VPN connection also works without problems.
More details on the picture in the attachment.

I have configured a guest ssid via Central on the iap. When you login to the ssid, you are redirected to the Clearpass login page.
But when you log in, you don't get any further, after logging in via the Catpive portal the redirect doesn't work anymore.
The Clearpass still contains securelogin.arubanetworks.com.
I can't see anything in the Clearpass access tracker.

Maybe someone has an idea what I am doing wrong.

Thanks a lot


------------------------------
Tobias
------------------------------

Hi,

ok, I tested it with the cppm certificate witch is: portal.xy.de so I were redirect to clearpass login.
I have uploaded our *.xy.de certificate for the instant but this dont work.

So I need a valid certificate for the IAP for example: vc.xy.de right?
than change the name in the ip address field in cppm to vc.xy.de...

with securelogin.arubanetworks.com and the send cleartext option, it works but, the browser shows unsecured conntection...

Thanks

------------------------------
Tobias
------------------------------

Original Message:
Sent: Jun 11, 2021 05:30 AM
From: Craig Syme
Subject: Central managed IAP guest captive portal clearpass redirect problem

Once you've uploaded the IAP Cert to Central (which you have already) go to Security -> Certificate usage where you assign the certificate to the Captive Portal. That is correct, under your Vendor Settings on the CPPM Guest page, where it says IP Address you'd add the CN of the Certificate you uploaded to the IAP.



------------------------------
Craig Syme

Original Message:
Sent: Jun 11, 2021 05:24 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hi,

ok i thought that might be the problem....
I have the same certificate from clearpass portal.xy.de also uploaded in Central via Global, Organizations, Certificates, how can I assign the certificate in Central to a group or an IAP, or is that automatic?

So in clearpass I have to replace securlogin.arubanetworks.com with portal.xy.de, right?

Thanks a lot

------------------------------
Tobias

Original Message:
Sent: Jun 11, 2021 04:59 AM
From: Craig Syme
Subject: Central managed IAP guest captive portal clearpass redirect problem

The factory shipped certificate is self signed and will cause issues. Ideally you need to replace this with a publicly signed certificate on both the CPPM + IAP. You'll also need to ensure that the NAS Login Settings also match the CN of the Certificate installed on the IAP.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/Guest/Content/Configuration/EnablingAndEditingNASLoginProperties.htm

------------------------------
Craig Syme

Original Message:
Sent: Jun 11, 2021 04:14 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hello Community,

I have built a Lab as follows.
An Aruba IAP315 is attached to an Aruba CX6200F switch, the switch is connected to a 4G router. The IAP and the switch are managed by Aruba Central, which works great.
We have a Clearpass server in one of our data centers, there is a router there, it has a VPN connection to the 4G router. The VPN connection also works without problems.
More details on the picture in the attachment.

I have configured a guest ssid via Central on the iap. When you login to the ssid, you are redirected to the Clearpass login page.
But when you log in, you don't get any further, after logging in via the Catpive portal the redirect doesn't work anymore.
The Clearpass still contains securelogin.arubanetworks.com.
I can't see anything in the Clearpass access tracker.

Maybe someone has an idea what I am doing wrong.

Thanks a lot


------------------------------
Tobias
------------------------------

Hi Craig,

Once you've uploaded the IAP Cert to Central (which you have already) go to Security -> Certificate usage where you assign the certificate to the Captive Portal.

Under Security I cannot find anything to assign the certificate to a captive portal... (the captive portal is on clearpass)

thanks

------------------------------
Tobias
------------------------------

Original Message:
Sent: Jun 14, 2021 05:20 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hi,

ok, I tested it with the cppm certificate witch is: portal.xy.de so I were redirect to clearpass login.
I have uploaded our *.xy.de certificate for the instant but this dont work.

So I need a valid certificate for the IAP for example: vc.xy.de right?
than change the name in the ip address field in cppm to vc.xy.de...

with securelogin.arubanetworks.com and the send cleartext option, it works but, the browser shows unsecured conntection...

Thanks

------------------------------
Tobias

Original Message:
Sent: Jun 11, 2021 05:30 AM
From: Craig Syme
Subject: Central managed IAP guest captive portal clearpass redirect problem

Once you've uploaded the IAP Cert to Central (which you have already) go to Security -> Certificate usage where you assign the certificate to the Captive Portal. That is correct, under your Vendor Settings on the CPPM Guest page, where it says IP Address you'd add the CN of the Certificate you uploaded to the IAP.



------------------------------
Craig Syme

Original Message:
Sent: Jun 11, 2021 05:24 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hi,

ok i thought that might be the problem....
I have the same certificate from clearpass portal.xy.de also uploaded in Central via Global, Organizations, Certificates, how can I assign the certificate in Central to a group or an IAP, or is that automatic?

So in clearpass I have to replace securlogin.arubanetworks.com with portal.xy.de, right?

Thanks a lot

------------------------------
Tobias

Original Message:
Sent: Jun 11, 2021 04:59 AM
From: Craig Syme
Subject: Central managed IAP guest captive portal clearpass redirect problem

The factory shipped certificate is self signed and will cause issues. Ideally you need to replace this with a publicly signed certificate on both the CPPM + IAP. You'll also need to ensure that the NAS Login Settings also match the CN of the Certificate installed on the IAP.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/Guest/Content/Configuration/EnablingAndEditingNASLoginProperties.htm

------------------------------
Craig Syme

Original Message:
Sent: Jun 11, 2021 04:14 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hello Community,

I have built a Lab as follows.
An Aruba IAP315 is attached to an Aruba CX6200F switch, the switch is connected to a 4G router. The IAP and the switch are managed by Aruba Central, which works great.
We have a Clearpass server in one of our data centers, there is a router there, it has a VPN connection to the 4G router. The VPN connection also works without problems.
More details on the picture in the attachment.

I have configured a guest ssid via Central on the iap. When you login to the ssid, you are redirected to the Clearpass login page.
But when you log in, you don't get any further, after logging in via the Catpive portal the redirect doesn't work anymore.
The Clearpass still contains securelogin.arubanetworks.com.
I can't see anything in the Clearpass access tracker.

Maybe someone has an idea what I am doing wrong.

Thanks a lot


------------------------------
Tobias
------------------------------

Note that when you have your APs managed by Central, you can assign the certificate 'aruba_default' (under Certificate usage), and a trusted certficate with the name 'securelogin.hpe.com' will be pushed to your AP; so securelogin.hpe.com is what you need to refer to in ClearPass Guest in that case. If you want your own certificate (which makes sense...) upload and apply your own cert as mentioned above.

If you upload a wildcard, like *.xy.de, then refer to captiveportal-login.xy.de in your ClearPass. Check also here.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jun 14, 2021 05:58 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hi Craig,

Once you've uploaded the IAP Cert to Central (which you have already) go to Security -> Certificate usage where you assign the certificate to the Captive Portal.

Under Security I cannot find anything to assign the certificate to a captive portal... (the captive portal is on clearpass)

thanks

------------------------------
Tobias

Original Message:
Sent: Jun 14, 2021 05:20 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hi,

ok, I tested it with the cppm certificate witch is: portal.xy.de so I were redirect to clearpass login.
I have uploaded our *.xy.de certificate for the instant but this dont work.

So I need a valid certificate for the IAP for example: vc.xy.de right?
than change the name in the ip address field in cppm to vc.xy.de...

with securelogin.arubanetworks.com and the send cleartext option, it works but, the browser shows unsecured conntection...

Thanks

------------------------------
Tobias

Original Message:
Sent: Jun 11, 2021 05:30 AM
From: Craig Syme
Subject: Central managed IAP guest captive portal clearpass redirect problem

Once you've uploaded the IAP Cert to Central (which you have already) go to Security -> Certificate usage where you assign the certificate to the Captive Portal. That is correct, under your Vendor Settings on the CPPM Guest page, where it says IP Address you'd add the CN of the Certificate you uploaded to the IAP.



------------------------------
Craig Syme

Original Message:
Sent: Jun 11, 2021 05:24 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hi,

ok i thought that might be the problem....
I have the same certificate from clearpass portal.xy.de also uploaded in Central via Global, Organizations, Certificates, how can I assign the certificate in Central to a group or an IAP, or is that automatic?

So in clearpass I have to replace securlogin.arubanetworks.com with portal.xy.de, right?

Thanks a lot

------------------------------
Tobias

Original Message:
Sent: Jun 11, 2021 04:59 AM
From: Craig Syme
Subject: Central managed IAP guest captive portal clearpass redirect problem

The factory shipped certificate is self signed and will cause issues. Ideally you need to replace this with a publicly signed certificate on both the CPPM + IAP. You'll also need to ensure that the NAS Login Settings also match the CN of the Certificate installed on the IAP.

https://www.arubanetworks.com/techdocs/ClearPass/6.9/Guest/Content/Configuration/EnablingAndEditingNASLoginProperties.htm

------------------------------
Craig Syme

Original Message:
Sent: Jun 11, 2021 04:14 AM
From: Tobias Gabriel
Subject: Central managed IAP guest captive portal clearpass redirect problem

Hello Community,

I have built a Lab as follows.
An Aruba IAP315 is attached to an Aruba CX6200F switch, the switch is connected to a 4G router. The IAP and the switch are managed by Aruba Central, which works great.
We have a Clearpass server in one of our data centers, there is a router there, it has a VPN connection to the 4G router. The VPN connection also works without problems.
More details on the picture in the attachment.

I have configured a guest ssid via Central on the iap. When you login to the ssid, you are redirected to the Clearpass login page.
But when you log in, you don't get any further, after logging in via the Catpive portal the redirect doesn't work anymore.
The Clearpass still contains securelogin.arubanetworks.com.
I can't see anything in the Clearpass access tracker.

Maybe someone has an idea what I am doing wrong.

Thanks a lot


------------------------------
Tobias
------------------------------