I am working with a customer setting up sponsorship on their guest network. Everything is working fine however, when the sponsor receives the email from Clearpass to approve the request, the link it provides isn't complete. The link either provides just the host name of the Clearpass server (clearpass) or the IP address of the server and not the FQDN. As such, if it provides just the host name, we get a page cannot be found and, if it provides an IP address, we get a certificate error.I thought this would pull from the FQDN field under the Server Configuration but it doesn't seem to be doing that and I can't figure out how/where to fix this. Any one have any ideas?
During actual guest access you should be in the Captive portal redirect provided by the controller user role. The L3 Auth Captive portal should be set to the FQDN of ClearPass VIP, which should match the FQDN of the ClearPass Server HTTPS certificate. The referring page will be set as the FQDN in the link to the sponsor which should match the HTTPS Server certificate. The IP address / FQDN should be pulled in by the referring page. So if you are testing and are logged into ClearPass via IP address then the referring page will be by IP address. You will get a certificate error since the FQDN (IP address) doesn't match the public certificate that you loaded in ClearPass Publisher HTTPS server certificate. Test by logging into ClearPass / ClearPass Guest via the full FQDN that the Guest will use to request sponsorship. This should populate the source field properly.If you have some setup that requires you to change that such as fronting the ClearPasss server with an F5, or Azure Load Balancer, this is the Sponsorship Confirmation receipt, and can be modified in the ClearPass Guest, Configuration -> Receipts -> Templates -> Sponsorship Confirmation. (Or what ever you have in the Sponsor "Email Confirmation" drop down as this is customizable )You'll likely want to modify that anyway to include powered by customer X or add some other logos to customize for the customer.Also, make sure the form on the sponsor page limits the sponsor emails to X domain, so that Guest's can't sponsor themselves via gmail etc. In the Self-Registration workflow, under Register Page select form, edit sponsor email, add the domain(s) in the allow array. Ref: https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=36494#bm2b09f05a-661b-4599-9519-40b645e54665
Thanks for your response. Unfortunately, this still leaves the same problem. Even if the FQDN is included in the registration page, the email that is sent to the sponsor still has a link that shows the hostname of Clearpass and not the FQDN. In the case that I don't select to require authentication for sponsors, that is replaced with the IP address in the link.
My lab is a bad example because I don't have valid certs however, it should still use the FQDN yet uses the hostname. As an example, I make sure the register page is using cppm.g33lab.local/guest/w-guest.php - when I go through the register process and the email goes to the sponsor, the link is https://cppm/guest/guest_register_confirm.php?gsr_id=w-guest&token=vwdhs-26x8c-aazio-ukd8r-fb8cs - so this obviously doesn't work. I do have cppm.g33lab.local as the FQDN in the Server Manager already.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.