Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

This thread has been viewed 47 times
  • 1.  ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    Posted Oct 07, 2020 09:46 AM

    Hello All,

     

    I'm in a bit of a pickle with ArubaOS 8 + Clearpass for Guest auth. The problem is that after clicking login on a Clearpass guest page, the client receives a HTTP 302 with params ?errmsg=access denied, and in Clearpass we see failed mac auth, but never do we see a request for guest user auth.

     

    Some Background

     

    I'll start with the facts. I have several dot1x networks, both EAP-TLS and EAP-PEAP which authenticate against Clearpass without issue. Clearpass is behaving as expected in that regard.

     

    • I have used the Clearpass wizard to create a guest service with mac + user auth with mac-caching.
    • I have setup a Clearpass Guest anonymous login page.
    • My controller has an SSL certificate that matches the IP address/hostname in the login page settings.
    • The account used to authenticate anonymous users exists in Clearpass Guest and the password and username look sane.
    • Guest redirection to the login page is successful

    In my Mobility Master + 2 Controllers in a cluster setup, I have a wireless network, Guest, which is configured for Mac Auth. Once the user connects to the guest network, they receive the initial guest role as configured. 

     

    My Captive Portal is setup and the user is redirected to the captive portal upon logging into the network. Everything up until this point works well and as intended.

     

    The Problem

     

    Now comes the problem: Once the user clicks login, they POST to the referring controller at /cgi-bin/login with form data like this:

     

    user=11111111

    &password=123456

    &cmd=authenticate

    &url=https://google.com

    &Login=Log+In

     

    The response the client receives is HTTP 302 (redirect) and the redirection location is: ?errmsg=Access denied

     

    This ends up with being a bit of an endless loop and the client never authenticates and remains in the configured intial guest role.

     

    If we take a look in Clearpass, we see the mac auth request which of course fails, but we never see the user auth request come in. This leads me to believe that there is some configuration error or a general error with the controller. As I understand it, the client will POST to the controller and the controller will then send a Radius request to Clearpass which in this case would be the user auth part of the guest service in Clearpass.

     

    I'm hoping that there is a simple fix, something that I've simply overlooked because right now I am out of ideas and have lost track of how many settings I have changed and tested in an attempt to get this to work. If there is anyone out there who might be able to assist with the issue, I'd be ever so grateful.

     

    Cheers,

    LBH the 3rd



  • 2.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    EMPLOYEE
    Posted Oct 07, 2020 02:44 PM

    Hi,

     

    Do you have the ClearPass server (the one receiving the MAC Auth) configured as Radius authentication server in the Controller's captive portal profile?



  • 3.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    Posted Oct 07, 2020 04:50 PM

    Hi Saravanan,

     

    Thank you for the reply. Always nice to know that I'm not alone in the networking world!

    The initial-role of the wireless network, let's call it first-role, has Clearpass configured in its Captive Portal tab. The correct captive portal profile is also referenced within the role's More -> Authentication -> Captive portal profile. 

     

    Below is where I have selected the server group of the actual captive portal profile.

    Screenshot 2020-10-07 at 22.11.26.png

    One of the things I'm trying to work out is how the controller comes to the conclusion that access is to be denied if the user request is never making it to Clearpass. Given that mac auth gets to Clearpass and that the user receives the go away message, there must be a user auth request that goes somewhere or that has been misconfigured not to happen. Where or what that is, I've no idea. 

     

    Cheers,

     

    LBH



  • 4.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    Posted Oct 07, 2020 05:17 PM
    Check ClearPass event viewer ?
    Did you replace the default captive portal cert on the Aruba controller ?



    Thank you

    Victor Fabian

    Pardon typos sent from Mobile


  • 5.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    Posted Oct 08, 2020 07:13 AM

    Hei Victor,

     

    I would like to say, of course I checked the event viewer, and honestly, I had checked the event viewer. The big but is that I had only checked the event viewer for clearpass-01 and not clearpass-02. And what was in the event viewer of 02? Lots and lots of radius mis-matching key errors! I was terribly excited to change that key and see my guest network working, but it was not to be.

     

    After noticing the error, I really thought that the user auth was being balanced to clearpass-02, but after having updated the radius key, I still do not see the user auth request and I am still getting the HTTP 302 with access denied.

     

    And to answer your question about the certificate, yes, I have changed the default certificate. My customer uses a wildcard certificate, *.my-domain.com, and in the Clearpass login page we use captiveportal-login.my-domain.com.

     

    When the client performs that POST to the controller, we see an HTTPS URL with the correct certificate.

     

    Thank you for your input and suggestions. When I saw the errors in the event log of clearpass-02, I thought: 'Victor, you've done it again!`. And to be fair, you certainly made me find an error. Thank you! Now I just need to find the error which is plaguing my guest network.

     

    Cheers,

     

    LBH



  • 6.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    Posted Oct 08, 2020 09:40 AM
    What version of AOS are you running ?

    Sent from Mail for Windows 10


  • 7.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    Posted Oct 08, 2020 01:17 PM

    Hi Victor,

     

    Apologies, that is information that I should have included earlier. This is running Aruba OS 8.5.10_76206. The two mobility masters and the two controllers are are all running the same software. The controllers are a pair of 7205 controllers.

     

    Cheers,

     

    LBH



  • 8.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    EMPLOYEE
    Posted Oct 12, 2020 05:47 PM

    Hi,

     

    I hope you have the "User Login:"  enabled in the Captive Portal profile configuration.

     

    You may open a TAC case to review your configuration and troubleshoot this further.



  • 9.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth
    Best Answer

    Posted Oct 13, 2020 03:25 AM

    Hi Saravanan,

     

    I wouldn't be seen dead without user login enabled. I've got a TAC case open and will fill in the blanks here.

     

    Cheers,

     

    LBH



  • 10.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    Posted Feb 23, 2021 12:02 PM
    Hi Conor and the rest of you.

    Could you manage to solve it? I'm having the same issue.

    Thanks!

    ------------------------------
    Gonzalo Lopez
    ------------------------------



  • 11.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    Posted Dec 17, 2021 10:14 AM
    At the end you solved the problem? I've the Same problem.

    Thks

    ------------------------------
    Paolo Miserendino
    ------------------------------



  • 12.  RE: ArubaOS 8 HTTP 302 at /cgi-bin/login for Guest Auth

    Posted Dec 17, 2021 11:35 AM
    Please open a Support Case if there is no answer, and you have an urgent issue.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------