Security

 View Only
  • 1.  Huawei NCE-Campus/iMaster and ClearPass Guest Portal - Which Submit URL to use

    Posted 6 days ago

    Hello,

    I'm trying to integrate an Huawei NCE-Campus solution with a ClearPass Guest portal (Self-Registration) and I'm stuck with the "Submit URL" in the NAS Vendor Information.

    I search the Web and Airheads but cannot find many information.

    The only clue I found is Cloudi-Fi.com   which uses https://[IP of the AP]:8443.  But I can't make it work.

    1. Does anybody knows which URL and parameters I must use?
    2. As this URL is variable (depending on the source AP), how must I configure the Submit URL field of ClearPass (I tried {login-url} but I'm redirected to "blank URL" even if the URL of the captive portal correctly include the field login-url)

    Thank you all



  • 2.  RE: Huawei NCE-Campus/iMaster and ClearPass Guest Portal - Which Submit URL to use

    Posted 5 days ago

    Please follow below step.

    In ClearPass --> Guest --> page login/Self Register --> Edit

    Vendor Settings: Custom Setting

    Submit URL: http://(ip address of WLC):8000/login

    Submit Method: POST







  • 3.  RE: Huawei NCE-Campus/iMaster and ClearPass Guest Portal - Which Submit URL to use

    Posted 5 days ago

    Hello,
    Thank you for the answer.  There are no WLC, it's only "standalone APs" (like Instant AP controlled by Central).

    I tested this URL with the AP IP but it doesn't work (I also tried with https://x.x.x.x:8443/login).

    I tested the port and it is closed (I whitelisted the IP and the client can ping it or connect on port 8443)




  • 4.  RE: Huawei NCE-Campus/iMaster and ClearPass Guest Portal - Which Submit URL to use

    Posted yesterday

    I reply to myself for anyone having the issue: the official answer from Huawei is to use Server-Initiated (even if the documentation gives information about Controller-Initiated...)
    Major steps:
    - Create a Server-Initiated Captive Portal
    - Create a MAC-Auth service with always access (Mandatory for CoA after CP to work) but sending Captive Portal information for those which should be rejected
    - Create a Web-Auth service which will perform the Captive Portal authentication and send a CoA

    For the Captive Portal URL, you need to add the 2 new VSA in the Huawei RADIUS Dictionary:
    - 156 => HW-Portal-URL
    - 173 => HW-Redirect-ACL
    !!! The URL must include the Endpoint MAC => https://[FQDN]/guest/myportal.php?&mac=%{Connection:Client-Mac-Address-Colon}
    On the Huawei side, the ACL must be defined in CLI section of the site, not in the ACL Template GUI.

    For the CoA, you need to add 1 new VSA in the Huawei RADIUS Dictionary (but the ArubaOS Wireless Terminate Session profile works fine also):
    - 238 => HW-Ext-Specific
    The CoA profile must send the Radius:IETF Calling-Station-Id set as %{Radius:IETF:Calling-Station-Id}and the Radius:Huawei HW-Ext-Specific sets as user-command=1