Wireless Access

 View Only
  • 1.  captive portal for CPPM Onboarding doesn't work

    Posted Jul 11, 2024 02:18 AM

    Hi,

    I configured the entire CPPM part for device onboarding.
    I'm having trouble managing the Mobility controller side (8.10.X). Following the directions, I created an SSID with 802.1X wpa2 authentication pointing to the CPPM server.
    The problem is the captive portal, on all indications it is found that under Authentication -L3 you should find the "onboard" object, which however is missing. I created it by hand and configured the captive portal page.
    The same goes for the BYOD-Provision role, which is already present in all the guides, but I couldn't find it and had to create it manually.

    I tried to check on other Controllers version 8.10.x and none of them have the two objects onboard and BYOD-Provision.


    The problem is that, by doing the test on the SSID, the device connects to the network, takes on the BYOD-Provision role, but there is no way to open the captive portal.

    Has anyone encountered the same problem? Do you have any ideas on what I might be missing?


    On the role, for the sole purpose of testing, I went so far as to open everything (any any), but still the CP does not open.
    By using the CP link manually on the device's browser, the page opens correctly and the user is able to register.

    Thanks



    ------------------------------
    carabina5
    ------------------------------


  • 2.  RE: captive portal for CPPM Onboarding doesn't work

    Posted Jul 11, 2024 05:02 AM

    Hi,

    Make sure you have PEF licenses in the controller. Then you can configure the access-rules, captive-portal and user-role (initial-role). finally assign the initial-role to the AAA profile.

    watch this video https://www.youtube.com/watch?v=F-4p7cqZzXQ

    • configure an alias for clearpass server

    netdestination clearpass

    host "clearpass ip address"

    • configure acl to allow http and https to clearpass server

    ip access-list session allow-clearpass

    any alias clearpass svc-http permit

    any alias clearpass svc-https permit

    • configure captive portal profile and assign server-group (clearpass) and configure the login-page url

    aaa authentication captive-portal byod

    login-page https://<clearpass-fqdn>/<page-url>

    server-group <clearpass-server-group>

    • configure initial user role

    user-role byod-logon

    access-list session logon-control

    access-list session allow-clearpass

    access-list session captiveportal

    captive-portal byod

    • assign initial user-role to the AAA profile
      • aaa profile "byod-aaa-prof" 
      • initial-role "byod-logon"

    Note: client device should be able resolve DNS to open captive portal automatically



    ------------------------------
    Harendra
    ACEX165
    ------------------------------



  • 3.  RE: captive portal for CPPM Onboarding doesn't work

    Posted Jul 11, 2024 07:11 AM

    Hi,

    thanks for the answer, but it seems to not work. By the way, the instructions are for guest, but I need it for BYOD (802.1X auth).


      • configure an alias for clearpass server  done with IP addresses

    netdestination clearpass

    host "clearpass ip address"

    • configure acl to allow http and https to clearpass server   done

    ip access-list session allow-clearpass

    any alias clearpass svc-http permit

    any alias clearpass svc-https permit

    • configure captive portal profile and assign server-group (clearpass) and configure the login-page url    done

    aaa authentication captive-portal byod

    login-page https://<clearpass-fqdn>/<page-url>

    server-group <clearpass-server-group>

    • configure initial user role   done

    user-role byod-logon

    access-list session logon-control

    access-list session allow-clearpass

    access-list session captiveportal

    captive-portal byod

    • assign initial user-role to the AAA profile      done
      • aaa profile "byod-aaa-prof" 
      • initial-role "byod-logon"

    Note: client device should be able resolve DNS to open captive portal automatically

    Now the client it's redirected to the CP, but it stuck in opening in the browser, it never appear the page.

    Clients in the same vlan (wired) can reach CPPM and open the BYOD login page.

    It seems that the controller is blocking something.

    In the controller I can see that the client receive the role BYOD-Provision and the IP in the correct vlan.

    This is the BYOD-Provision role's policies:

    Thanks



    ------------------------------
    carabina5
    ------------------------------



  • 4.  RE: captive portal for CPPM Onboarding doesn't work

    Posted Jul 11, 2024 07:30 AM
    Edited by NHN Jul 11, 2024 07:30 AM

    Hi,

    One rule is missing in. Byod-provision role to allow https and https to clearpass server that's why browser is not able to open the page.

    Add an acl above the captive-portal rule to allow http and https to your clearpass server.

    If you look at your role configuration, rule count is 0 for cppm acl.



    ------------------------------
    Harendra
    ACEX165
    ------------------------------



  • 5.  RE: captive portal for CPPM Onboarding doesn't work

    Posted Jul 11, 2024 08:13 AM

    Hi,

    he's making me crazy.
    There are rules within the policy. I created a new one, it has 6 rules inside, but I still see 0 in the role.

    Thanks



    ------------------------------
    carabina5
    ------------------------------



  • 6.  RE: captive portal for CPPM Onboarding doesn't work

    Posted Jul 11, 2024 08:32 AM

    Hi,

    Harendra, it is working now... I don't know why, rules in the role still 0 for cppm.

    Thank you very much.

    If you know, it is necessary a rule for reach appstore for mobiles in the role?



    ------------------------------
    carabina5
    ------------------------------