Security

 View Only
last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Trouble with ClearPass self registration, Users get Required parameters unavailable

This thread has been viewed 51 times
  • 1.  Trouble with ClearPass self registration, Users get Required parameters unavailable

    Posted Oct 04, 2022 07:17 AM
    Hi. I need help figuring out why my guest users can't log in.
    I have configured SSID in Cisco WLC 9800 which have connection with CPPM (ClearPass). I created a self registration web page on ClearPass. When guests connect to the guest SSID, a registration web page opens for them, where the users can register. After registration, it redirects him to another page, where a login and a password are showed and there is a login button at the bottom.

    and now if the users try to log in on this page (presses the button), then they get the following message "Required parameters unavailable". In "manage account" I see that Clearpass have created account. We don't have deny logs In "Access Tracker".

    I've gone through various guides and it looks like I have everything configured correctly on both the WLC 9800 and in ClearPass. I'm completely stumped.



    Thanks for any help with this.


  • 2.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    Posted Oct 04, 2022 09:41 AM
    It sounds like you aren't using clearpass ass authentication server on your ssid, or you havent configured this right.

    You can try diagnose if clearpass is right configured as authentication server on your wifi controller and your ssid.
    I have never user cisco wlc but i imagine it works like any other controller.
    I can show you examples on how it must be configured on aruba controller if you wish .


  • 3.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    Posted Oct 05, 2022 01:33 AM

    I used this guide https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217931-configure-9800-wlc-and-aruba-clearpass.html , But it isn't help. 

    I captured traffic on WLC and Clearpass, and how I saw Clearpass sent CoA packet to reauthenticate, but WLC didn't sent response.  

    I found https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=44867  this community, I think I have same problem, but there I can't find resolve issue. 




  • 4.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    EMPLOYEE
    Posted Oct 05, 2022 02:12 AM
    check to see if CoA ports match. ClearPass uses 3799 by default and i think Cisco might be using 3700

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 5.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    Posted Oct 05, 2022 04:26 AM
    I checked it, both use 1700.


  • 6.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    Posted Oct 05, 2022 08:38 AM
    What version of 9800 software?


  • 7.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    Posted Oct 05, 2022 03:08 PM
    Hi, in the image for web_login page in Clearpass it shows Vendor: Aruba, have you tried Cisco in that field?


    I hope this helps

    Regars


  • 8.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    EMPLOYEE
    Posted Oct 05, 2022 07:39 PM
    good catch. it is definitely an error in the document, the vendor should be Cisco and by default it uses 1.1.1.1
    that IP address should match the IP address of the virtual interface.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 9.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    Posted Oct 05, 2022 08:09 PM
    You also should NOT use 1.1.1.1 anymore. This is a publicly routable IP used by CloudFlare for DNS. 192.0.2.1 should be used now




  • 10.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    EMPLOYEE
    Posted Oct 05, 2022 08:49 PM
    thats correct, the main point was that the virtual interface on Cisco WLC should match the IP address in that field on ClearPass Guest weblogin or self rego page.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 11.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    Posted Oct 06, 2022 01:29 AM

    Version of WLC 9800 is Version 17.06.03. ClearPass Policy Manager 6.10.7.187596. My login page configuration look like


    I have captured traffic between WLC and ClearPass. How can I see WLC send NAC message to ClearPass, when ClearPass send to WLC CoA.
    WLC - 10.61.1.40
    ClearPass - 10.61.1.41. I think problem with CoA, but I don't know exactly what the problem is.





  • 12.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable
    Best Answer

    Posted Oct 06, 2022 07:28 AM
    Got it, so you are doing server initiated, not a POST from the WLC.  What does your AAA configuration on the 9800 look like?  Do you have RADIUS dynamic authorization enabled for ClearPass?  Is the PSK correct?  Based on the NAK response from the 9800, it does not have a dynamic authorization entry for ClearPass or the PSK is not correct.


  • 13.  RE: Trouble with ClearPass self registration, Users get Required parameters unavailable

    Posted Oct 07, 2022 07:53 AM
    Thanks everyone, I solved the issue. The problem was on the WLC side, it was impossible to specify a password through GUI, I connected via SSH and added a password. And my controller started to receive CoA packets.