Security

 View Only
Expand all | Collapse all

ClearPass Guest URL redirect following logon

This thread has been viewed 17 times
  • 1.  ClearPass Guest URL redirect following logon

    Posted Jan 18, 2016 05:39 PM

    I've setup ClearPass Guest with a simple Web Login page that clients get redirected to by an Aruba captive portal profile.

     

    All is working as expected with iPhones and an old Android device using stock browser - clients get redirected to the original page they were trying to browse to with no issues.

     

    Google chrome on android device, and IE 11 on Win 7 attempt to redirect the client to the originally requested URL, however they are appending '&arubalp=<various hex> and the client receives a 'Page not found' error.

     

    Has anyone seen this behaviour before? Is there a known solution?

     



  • 2.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 18, 2016 06:29 PM

    Hi chrispchikin,

     

    What role does the user have when they authenticate? I assume that this is different than your captive portal role?

     

    -Mike



  • 3.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 18, 2016 06:51 PM

    Yes different roles, post authentication is effectively the allowall role.

     

    Strange thing is, it doesn't always happen...



  • 4.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 18, 2016 08:54 PM

    Hi chrispchikin,

     

    Can you share your Role Mapping and your Enforcement Policy tabs for this service?

     

    Also, what version of ClearPass are you currently running?

     

    -Mike



  • 5.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 18, 2016 09:16 PM

    Details below:

     

    Role Mapping.png

    Enforcement Policy.png



  • 6.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 18, 2016 09:23 PM

    CPPM version is 6.5.3.76733



  • 7.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 18, 2016 10:11 PM

    What is the default role for the Captive Portal profile in Aruba OS? Also, what Aruba user role is set by your "IP-Guest Guest Profile" Enforcement Profile?

     

    -Mike



  • 8.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 18, 2016 10:16 PM

     

     

    The Guest enforcement profile sends a 'Guest-authenticated' user role attribute which is effectively the allowall role.

     

    Default role in captive portal profile is denyall.

     

     



  • 9.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 19, 2016 09:49 AM

    Have you tried to remove the MAC address entry for the iPhone and the Android device from the Endpoints Repository? I would then remove the entry from the user-table on the controller. This will effectively zero out the IPhone and Android device and it will start the process from scratch. At that point, can you go through the process and see if you get presented a portal page?

     

    Thanks!

     

    -Mike



  • 10.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 19, 2016 02:13 PM

    Yes, been having to do that in order for the devices to not just be MAC authenticated.



  • 11.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 19, 2016 04:45 PM

    Are you mobile devices just MAC authenticating and not connecting to the Portal service? If so, can you share the Role Mapping and Enforcement Profile from that service?

     

    -Mike



  • 12.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 19, 2016 04:47 PM

    Its setup pretty much as per the template, initial logon is captive portal w/ web login.

    Subsequent authorisations use MAC auth.


    We're not even getting to the MAC auth stage, the problem is occuring after web login so not really relevant.



  • 13.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 23, 2016 10:24 AM

    can you share your controller captive portal profile?



  • 14.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 24, 2016 02:44 PM

    Sure, config below:

     

    Captive Portal 1.png

    Captive Portal 2.png



  • 15.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 30, 2016 08:12 AM

    are you sure that works at all? denyall as role after auth doesn't feel correct.

     

    have you checked with browser debug tools (IE F12) where the extra info is added?



  • 16.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 30, 2016 02:33 PM
    It sure does, ClearPass sends an authenticated role in a RADIUS attribute after successful auth.


  • 17.  RE: ClearPass Guest URL redirect following logon

    Posted Jan 31, 2016 10:25 AM

    duh, hadn't considered that one.

     

    im kinda out of ideas, like mentioned try to use browser debug tools to find a difference in behaviour and which element causes it.

     

    TAC case is also always an option.