Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Guest integration with Cisco WLC

This thread has been viewed 59 times
  • 1.  Clearpass Guest integration with Cisco WLC

    Posted Jun 24, 2022 12:19 PM
    I have integrated clearpass with Cisco WLC. When we connected to the SSID then redirected to  guest login network login page, after login the page stuck at 1.1.1.1/login.html? as per below snap. Could you please help on this. Thanks



    Error Snap:



  • 2.  RE: Clearpass Guest integration with Cisco WLC

    Posted Jun 24, 2022 02:10 PM
    As a step one do NOT use 1.1.1.1.  That is a routable IP address (specifically CloudFlare).  Please update it to use 192.0.2.1 and test again.


  • 3.  RE: Clearpass Guest integration with Cisco WLC

    Posted Jun 27, 2022 04:59 PM
    Hi, and after changing the address make sure the WLC's virtual IP is permited in the Captive portal ACL in the WLC.

    If you want, you can check this blog to integrate the Cisco WLC with CLearpass:
    https://wifi-networking-and-more.blogspot.com/2022/03/aruba-clearpass-how-to-configure-cisco.html

    Hope this helps.


  • 4.  RE: Clearpass Guest integration with Cisco WLC

    Posted Nov 27, 2023 07:29 PM

    Hello Ulises

    Im having trouble configuring this

    It seems everythings goes fine.  The client get redirected to the portal, the client selft register, they give him access, he accept the access, and when he accept it and its being redirected to the WLC again this happens

    The WLC virtual ip which is configured in the clearpass is permitted in the access list

    They are managing the controller through the managment port.  It seems you can ping that ip but thats it they cannot access the controller or anything trhougn that ip, The internal captive portal works fine and thats the ip used as the captive portal and it works fine so i dont understand

    The other thing i wanted to ask

    I dont need a public cert in the Cisco WLC? is not like Aruba that you need those?  we dont want any trouble with the certificates errors

    From your manual we are just missing this steps which i dont know you can confirm me if thats all the problem

    Why i didnt configure this? because it seems its a global config and it seems their local cisco support says that changing this could affect their internal captive portal, so changing this would need them a maintanence window.

    anyways i though i migh be not necesesary because you do the redirection in the WLAN profile in the L3 tab but well let me know Ulises please

    Thanks 




  • 5.  RE: Clearpass Guest integration with Cisco WLC

    Posted Nov 28, 2023 08:42 AM

    Think you are have the clearpass login method configured incorrectly here. When doing controller-initiated you have to add the fqdn (actually the controller captive portal page linked to virtual IP) which the http form will submit username/password to. Client actually have to go to this address (don't think it has to be resolvable as the WLC has a bind for the cert CN to it's virtual IP) and for https has to trust it before sending the username/pw. This will in turn trigger a new radius request to Clearpass on a different service and then when validated will return a different acl.

    Seems your redirect has an IP-address and that won't work when doing https.

    And yea - you want to be using https, and as long as you are using login-method "controller-initiated" you will need public valid ssl certs on both Clearpass and WLC to avoid errors. If using server-initiated then you only need that on Clearpass. This setup is in the Cisco WLC world called CWA - Central Web Authentication..

    Some links for more information around this:

    https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#toc-hId-325206534



    ------------------------------
    John-Egil Solberg |
    ACMX#316 | ACCX#902
    ------------------------------



  • 6.  RE: Clearpass Guest integration with Cisco WLC

    Posted Nov 29, 2023 05:54 PM

    Hello

    I do have set on the guest the CN  which is the Virtual ip address of the controller on the clearpass 

    Its on controller initiate http 

    and i have the ip address of the virtual ip of the WLC controllers, that ip address is the one i see as the CN on web authentication certificate on the cisco WLC

    Question, does the guest users need to have access to that ip address, which is the virtual ip address? because right now i don tthink they have from the vlan they are using for guest., neither sure if the clearpass has access to that ip address of the controller

    That controller is managed with a managment port and ip address

    I will try with server initiate to see if that works too, i havent try that.