ClearPass does chaining automatically. For the VC/Instant (but controllers as well) you would need to chain the intermediate certificates manually.
There are multiple moments for an accept, and it's good to understand the role of the client after each stage of the authentication process. Once you know at which step the process does not continue, you are close to a solution.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Sep 06, 2024 06:06 AM
From: AirHead422
Subject: ClearPass Guest - loops back to registration page on some devices
Hi Herman,
We do see an "accept" in access tracker so it is very confusing. For the cert chaining, would this be on clearpass or the VC? Both have the same wildcard certificate installed at the moment.
Thank you
Original Message:
Sent: Sep 06, 2024 03:06 AM
From: Herman Robers
Subject: ClearPass Guest - loops back to registration page on some devices
Do you see the user authentication in Access tracker when the client is looped back? Accept?
Depending on how you set this up, there are 1 or 2 (or 3-4 if you include the MAC authentication) authentications in each session. When you see 'looping back' the credential post to the IAP (there make sure that you 'chained' the certificates with intermediates!) is not working properly. If you disconnect/reconnect, MAC Caching kicks in, so it's expected that you are then connected. You mentioned a few possibilities already, so it would be good to capture the issue 'live' and see if the browser posts the credentials, if you see that authentication in ClearPass, and that the role successfully switched on your AP. If you need to better understand the order of what happens, you could check this video, then the controller initiated workflow.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Sep 05, 2024 03:39 PM
From: AirHead422
Subject: ClearPass Guest - loops back to registration page on some devices
Hi Everyone,
Ripping my hair out a bit over this one. We've tried about 100 different things trying to find out why this works on some devices such as Windows laptops, but loops on certain cell phones.
We are running Aruba ClearPass 6.11 and Instant APs 615 with firmware 8.12.
On iPhone and occasionally android, the guests get sent back to the registration page once or twice before being allowed on the network. I've noticed that I can register once, and even if I loop back to the register page, simply disconnecting/reconnecting to the SSID lets me on fully without being bugged again. The process appears to register the device just fine, but the redirect is buggy.
Things we've looked at already:
- Automatic URL allowlist
- Ensure Firewall rules allow HTTP and HTTPS, DNS, etc from the guest network to ClearPass
- Ensure the certificates are installed correctly (using wildcard, I've heard it is supported now)
- Ensure URLs are correct for the redirect
- Increasing timeouts before the redirect to allow the pub/sub cluster to sync
- We've read something about allowlisting the cert OCSP and CRL URLs, but I cannot find a place to allow these? Would this make a difference?
We do not see any traffic blocked in the firewall logs, and trying it on a laptop works, to the HAR file capture in Chrome isn't of much use. captiveportal-login.domain.ca is set correctly in the guest registration page. Once again, it seems to work on some devices and not others. Running virtual controller (IAP) and clearpass VM cluster. Any insight is appreciated.