Hello All,
I'm in a bit of a pickle with ArubaOS 8 + Clearpass for Guest auth. The problem is that after clicking login on a Clearpass guest page, the client receives a HTTP 302 with params ?errmsg=access denied, and in Clearpass we see failed mac auth, but never do we see a request for guest user auth.
Some Background
I'll start with the facts. I have several dot1x networks, both EAP-TLS and EAP-PEAP which authenticate against Clearpass without issue. Clearpass is behaving as expected in that regard.
- I have used the Clearpass wizard to create a guest service with mac + user auth with mac-caching.
- I have setup a Clearpass Guest anonymous login page.
- My controller has an SSL certificate that matches the IP address/hostname in the login page settings.
- The account used to authenticate anonymous users exists in Clearpass Guest and the password and username look sane.
- Guest redirection to the login page is successful
In my Mobility Master + 2 Controllers in a cluster setup, I have a wireless network, Guest, which is configured for Mac Auth. Once the user connects to the guest network, they receive the initial guest role as configured.
My Captive Portal is setup and the user is redirected to the captive portal upon logging into the network. Everything up until this point works well and as intended.
The Problem
Now comes the problem: Once the user clicks login, they POST to the referring controller at /cgi-bin/login with form data like this:
user=11111111
&password=123456
&cmd=authenticate
&url=https://google.com
&Login=Log+In
The response the client receives is HTTP 302 (redirect) and the redirection location is: ?errmsg=Access denied
This ends up with being a bit of an endless loop and the client never authenticates and remains in the configured intial guest role.
If we take a look in Clearpass, we see the mac auth request which of course fails, but we never see the user auth request come in. This leads me to believe that there is some configuration error or a general error with the controller. As I understand it, the client will POST to the controller and the controller will then send a Radius request to Clearpass which in this case would be the user auth part of the guest service in Clearpass.
I'm hoping that there is a simple fix, something that I've simply overlooked because right now I am out of ideas and have lost track of how many settings I have changed and tested in an attempt to get this to work. If there is anyone out there who might be able to assist with the issue, I'd be ever so grateful.
Cheers,
LBH the 3rd