Hello
I do have set on the guest the CN which is the Virtual ip address of the controller on the clearpass
Its on controller initiate http
and i have the ip address of the virtual ip of the WLC controllers, that ip address is the one i see as the CN on web authentication certificate on the cisco WLC
Question, does the guest users need to have access to that ip address, which is the virtual ip address? because right now i don tthink they have from the vlan they are using for guest., neither sure if the clearpass has access to that ip address of the controller
That controller is managed with a managment port and ip address
I will try with server initiate to see if that works too, i havent try that.
Original Message:
Sent: Nov 28, 2023 08:41 AM
From: jsolb
Subject: Clearpass Guest integration with Cisco WLC
Think you are have the clearpass login method configured incorrectly here. When doing controller-initiated you have to add the fqdn (actually the controller captive portal page linked to virtual IP) which the http form will submit username/password to. Client actually have to go to this address (don't think it has to be resolvable as the WLC has a bind for the cert CN to it's virtual IP) and for https has to trust it before sending the username/pw. This will in turn trigger a new radius request to Clearpass on a different service and then when validated will return a different acl.
Seems your redirect has an IP-address and that won't work when doing https.
And yea - you want to be using https, and as long as you are using login-method "controller-initiated" you will need public valid ssl certs on both Clearpass and WLC to avoid errors. If using server-initiated then you only need that on Clearpass. This setup is in the Cisco WLC world called CWA - Central Web Authentication..
Some links for more information around this:
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html#toc-hId-325206534
------------------------------
John-Egil Solberg |
ACMX#316 | ACCX#902
Original Message:
Sent: Nov 27, 2023 07:28 PM
From: cdelarosa
Subject: Clearpass Guest integration with Cisco WLC
Hello Ulises
Im having trouble configuring this
It seems everythings goes fine. The client get redirected to the portal, the client selft register, they give him access, he accept the access, and when he accept it and its being redirected to the WLC again this happens
The WLC virtual ip which is configured in the clearpass is permitted in the access list
They are managing the controller through the managment port. It seems you can ping that ip but thats it they cannot access the controller or anything trhougn that ip, The internal captive portal works fine and thats the ip used as the captive portal and it works fine so i dont understand
The other thing i wanted to ask
I dont need a public cert in the Cisco WLC? is not like Aruba that you need those? we dont want any trouble with the certificates errors
From your manual we are just missing this steps which i dont know you can confirm me if thats all the problem
Why i didnt configure this? because it seems its a global config and it seems their local cisco support says that changing this could affect their internal captive portal, so changing this would need them a maintanence window.
anyways i though i migh be not necesesary because you do the redirection in the WLAN profile in the L3 tab but well let me know Ulises please
Thanks
Original Message:
Sent: Jun 27, 2022 04:59 PM
From: ulises.cazares
Subject: Clearpass Guest integration with Cisco WLC
Hi, and after changing the address make sure the WLC's virtual IP is permited in the Captive portal ACL in the WLC.
If you want, you can check this blog to integrate the Cisco WLC with CLearpass:
https://wifi-networking-and-more.blogspot.com/2022/03/aruba-clearpass-how-to-configure-cisco.html
Hope this helps.
Original Message:
Sent: Jun 24, 2022 12:18 PM
From: Nilesh Wagh
Subject: Clearpass Guest integration with Cisco WLC
I have integrated clearpass with Cisco WLC. When we connected to the SSID then redirected to guest login network login page, after login the page stuck at 1.1.1.1/login.html? as per below snap. Could you please help on this. Thanks Error Snap: