Original Message:
Sent: Jul 11, 2024 08:12 AM
From: HB
Subject: captive portal for CPPM Onboarding doesn't work
Hi,
he's making me crazy.
There are rules within the policy. I created a new one, it has 6 rules inside, but I still see 0 in the role.
Thanks
------------------------------
carabina5
Original Message:
Sent: Jul 11, 2024 07:29 AM
From: NHN
Subject: captive portal for CPPM Onboarding doesn't work
Hi,
One rule is missing in. Byod-provision role to allow https and https to clearpass server that's why browser is not able to open the page.
Add an acl above the captive-portal rule to allow http and https to your clearpass server.
If you look at your role configuration, rule count is 0 for cppm acl.
------------------------------
Harendra
ACEX165
Original Message:
Sent: Jul 11, 2024 07:10 AM
From: HB
Subject: captive portal for CPPM Onboarding doesn't work
Hi,
thanks for the answer, but it seems to not work. By the way, the instructions are for guest, but I need it for BYOD (802.1X auth).
- configure an alias for clearpass server done with IP addresses
netdestination clearpass
host "clearpass ip address"
- configure acl to allow http and https to clearpass server done
ip access-list session allow-clearpass
any alias clearpass svc-http permit
any alias clearpass svc-https permit
- configure captive portal profile and assign server-group (clearpass) and configure the login-page url done
aaa authentication captive-portal byod
login-page https://<clearpass-fqdn>/<page-url>
server-group <clearpass-server-group>
- configure initial user role done
user-role byod-logon
access-list session logon-control
access-list session allow-clearpass
access-list session captiveportal
captive-portal byod
- assign initial user-role to the AAA profile done
- aaa profile "byod-aaa-prof"
- initial-role "byod-logon"
Note: client device should be able resolve DNS to open captive portal automatically
Now the client it's redirected to the CP, but it stuck in opening in the browser, it never appear the page.
Clients in the same vlan (wired) can reach CPPM and open the BYOD login page.
It seems that the controller is blocking something.
In the controller I can see that the client receive the role BYOD-Provision and the IP in the correct vlan.
This is the BYOD-Provision role's policies:
Thanks
------------------------------
carabina5
Original Message:
Sent: Jul 11, 2024 05:02 AM
From: NHN
Subject: captive portal for CPPM Onboarding doesn't work
Hi,
Make sure you have PEF licenses in the controller. Then you can configure the access-rules, captive-portal and user-role (initial-role). finally assign the initial-role to the AAA profile.
watch this video https://www.youtube.com/watch?v=F-4p7cqZzXQ
- configure an alias for clearpass server
netdestination clearpass
host "clearpass ip address"
- configure acl to allow http and https to clearpass server
ip access-list session allow-clearpass
any alias clearpass svc-http permit
any alias clearpass svc-https permit
- configure captive portal profile and assign server-group (clearpass) and configure the login-page url
aaa authentication captive-portal byod
login-page https://<clearpass-fqdn>/<page-url>
server-group <clearpass-server-group>
- configure initial user role
user-role byod-logon
access-list session logon-control
access-list session allow-clearpass
access-list session captiveportal
captive-portal byod
- assign initial user-role to the AAA profile
- aaa profile "byod-aaa-prof"
- initial-role "byod-logon"
Note: client device should be able resolve DNS to open captive portal automatically
------------------------------
Harendra
ACEX165
Original Message:
Sent: Jul 11, 2024 02:17 AM
From: HB
Subject: captive portal for CPPM Onboarding doesn't work
Hi,
I configured the entire CPPM part for device onboarding.
I'm having trouble managing the Mobility controller side (8.10.X). Following the directions, I created an SSID with 802.1X wpa2 authentication pointing to the CPPM server.
The problem is the captive portal, on all indications it is found that under Authentication -L3 you should find the "onboard" object, which however is missing. I created it by hand and configured the captive portal page.
The same goes for the BYOD-Provision role, which is already present in all the guides, but I couldn't find it and had to create it manually.
I tried to check on other Controllers version 8.10.x and none of them have the two objects onboard and BYOD-Provision.
The problem is that, by doing the test on the SSID, the device connects to the network, takes on the BYOD-Provision role, but there is no way to open the captive portal.
Has anyone encountered the same problem? Do you have any ideas on what I might be missing?
On the role, for the sole purpose of testing, I went so far as to open everything (any any), but still the CP does not open.
By using the CP link manually on the device's browser, the page opens correctly and the user is able to register.
Thanks
------------------------------
carabina5
------------------------------