Wireless Access

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

for your pre-auth role, you need to allow DHCP and DNS as well.

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

for your pre-auth role, you need to allow DHCP and DNS as well.

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

this is what he is referring to

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

this is what he is referring to

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

What is your AD query for userAccountControl?

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

this is what he is referring to

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Do you mean this attribute?

What is your AD query for userAccountControl?

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

this is what he is referring to

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

Do you mean this attribute?

What is your AD query for userAccountControl?

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

this is what he is referring to

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Already tryed but no result unfortunately.

In Access Tracker I see that Clearpass successfully gets all attributes from AD, and needed role is assigned.

As I said the same authentication setup works perfecltly when I change Vendor on web login page via guest. Also it works fine with other Remote AP with no Instant mode.

My current web login page 

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

Do you mean this attribute?

What is your AD query for userAccountControl?

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

this is what he is referring to

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Already tryed but no result unfortunately.

In Access Tracker I see that Clearpass successfully gets all attributes from AD, and needed role is assigned.

As I said the same authentication setup works perfecltly when I change Vendor on web login page via guest. Also it works fine with other Remote AP with no Instant mode.

My current web login page 

Original Message:
Sent: Jul 25, 2024 04:40 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 25, 2024 03:13 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you mean this attribute?

Original Message:
Sent: Jul 25, 2024 02:50 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

What is your AD query for userAccountControl?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 25, 2024 02:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

Original Message:
Sent: Jul 24, 2024 07:05 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

this is what he is referring to

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 24, 2024 09:04 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 24, 2024 05:44 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

Original Message:
Sent: Jul 23, 2024 04:31 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 23, 2024 03:40 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Hi Julia. 

It was nice to meet you in Las Vegas. Herman was faster than me in response :-) 

You need to change Address field to the used certificat's CN.

On Instant the factory certificate by default has CN: securelogin.arubanetworks.com, 

Usually you want to replace this certificate with publicly signed cert and you need to provide correct CN from this publicly signed cert to Address field.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jul 25, 2024 05:38 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Already tryed but no result unfortunately.

In Access Tracker I see that Clearpass successfully gets all attributes from AD, and needed role is assigned.

As I said the same authentication setup works perfecltly when I change Vendor on web login page via guest. Also it works fine with other Remote AP with no Instant mode.

My current web login page 

Original Message:
Sent: Jul 25, 2024 04:40 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 25, 2024 03:13 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you mean this attribute?

Original Message:
Sent: Jul 25, 2024 02:50 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

What is your AD query for userAccountControl?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 25, 2024 02:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

Original Message:
Sent: Jul 24, 2024 07:05 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

this is what he is referring to

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 24, 2024 09:04 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 24, 2024 05:44 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

Original Message:
Sent: Jul 23, 2024 04:31 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 23, 2024 03:40 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Herman, thank you for the response. Unfortunately I cannot open a TAC case, because of the expired Support Contract. 

Thank you also for the reply Gorazd!

For now it is impossible to install some specified public certificate. Because we have only the one with general CN=*.companyname.com. I've tried to install it but get more certificate errors.

I've tried also to get around this by issuing the self-singed certificate with the name like CN=securelogin.companyname.com, adding this to my IAP as the one for my captive portal,  and then adding an issuing CA to the trusted list for my device from which I test connection to SSID. Also I've changed address to securelogin.companyname.com in the Weblogin editor.

From browser logs I see that everything is ok with the certificate acceptance ( it is seen as trusted), but that does not solve the problem. Got the same error in my ClearPass logs. And as the user I see the login page over and over again.

So I don' think it is a certificate issue. Because as soon as I change vendor setting to Web based Clearpass Authentication, policy with the same method MSCHAP and Active Directly source works as needed and no errors comes at all. And I have a working appliance for guests and self-registration settings which is working good without installing any additional certificates. 

Hi Julia. 

It was nice to meet you in Las Vegas. Herman was faster than me in response :-) 

You need to change Address field to the used certificat's CN.

On Instant the factory certificate by default has CN: securelogin.arubanetworks.com, 

Usually you want to replace this certificate with publicly signed cert and you need to provide correct CN from this publicly signed cert to Address field.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jul 25, 2024 05:38 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Already tryed but no result unfortunately.

In Access Tracker I see that Clearpass successfully gets all attributes from AD, and needed role is assigned.

As I said the same authentication setup works perfecltly when I change Vendor on web login page via guest. Also it works fine with other Remote AP with no Instant mode.

My current web login page 

Original Message:
Sent: Jul 25, 2024 04:40 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 25, 2024 03:13 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you mean this attribute?

Original Message:
Sent: Jul 25, 2024 02:50 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

What is your AD query for userAccountControl?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 25, 2024 02:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

Original Message:
Sent: Jul 24, 2024 07:05 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

this is what he is referring to

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 24, 2024 09:04 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 24, 2024 05:44 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

Original Message:
Sent: Jul 23, 2024 04:31 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 23, 2024 03:40 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

I tested it for you but with my AOS10 AP in bridge forwarding mode that has a valid pub cert for captive portal.

for me I get the exact same error as you did "RADIUS - Cannot select appropriate authentication method" if the authentication method did not include PAP.

Then when I added PAP and it authenticated as expected. 

Herman, thank you for the response. Unfortunately I cannot open a TAC case, because of the expired Support Contract. 

Thank you also for the reply Gorazd!

For now it is impossible to install some specified public certificate. Because we have only the one with general CN=*.companyname.com. I've tried to install it but get more certificate errors.

I've tried also to get around this by issuing the self-singed certificate with the name like CN=securelogin.companyname.com, adding this to my IAP as the one for my captive portal,  and then adding an issuing CA to the trusted list for my device from which I test connection to SSID. Also I've changed address to securelogin.companyname.com in the Weblogin editor.

From browser logs I see that everything is ok with the certificate acceptance ( it is seen as trusted), but that does not solve the problem. Got the same error in my ClearPass logs. And as the user I see the login page over and over again.

So I don' think it is a certificate issue. Because as soon as I change vendor setting to Web based Clearpass Authentication, policy with the same method MSCHAP and Active Directly source works as needed and no errors comes at all. And I have a working appliance for guests and self-registration settings which is working good without installing any additional certificates. 

Hi Julia. 

It was nice to meet you in Las Vegas. Herman was faster than me in response :-) 

You need to change Address field to the used certificat's CN.

On Instant the factory certificate by default has CN: securelogin.arubanetworks.com, 

Usually you want to replace this certificate with publicly signed cert and you need to provide correct CN from this publicly signed cert to Address field.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jul 25, 2024 05:38 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Already tryed but no result unfortunately.

In Access Tracker I see that Clearpass successfully gets all attributes from AD, and needed role is assigned.

As I said the same authentication setup works perfecltly when I change Vendor on web login page via guest. Also it works fine with other Remote AP with no Instant mode.

My current web login page 

Original Message:
Sent: Jul 25, 2024 04:40 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 25, 2024 03:13 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you mean this attribute?

Original Message:
Sent: Jul 25, 2024 02:50 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

What is your AD query for userAccountControl?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 25, 2024 02:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

Original Message:
Sent: Jul 24, 2024 07:05 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

this is what he is referring to

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 24, 2024 09:04 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 24, 2024 05:44 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

Original Message:
Sent: Jul 23, 2024 04:31 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 23, 2024 03:40 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Herman, thank you for the response. Unfortunately I cannot open a TAC case, because of the expired Support Contract. 

Thank you also for the reply Gorazd!

For now it is impossible to install some specified public certificate. Because we have only the one with general CN=*.companyname.com. I've tried to install it but get more certificate errors.

I've tried also to get around this by issuing the self-singed certificate with the name like CN=securelogin.companyname.com, adding this to my IAP as the one for my captive portal,  and then adding an issuing CA to the trusted list for my device from which I test connection to SSID. Also I've changed address to securelogin.companyname.com in the Weblogin editor.

From browser logs I see that everything is ok with the certificate acceptance ( it is seen as trusted), but that does not solve the problem. Got the same error in my ClearPass logs. And as the user I see the login page over and over again.

So I don' think it is a certificate issue. Because as soon as I change vendor setting to Web based Clearpass Authentication, policy with the same method MSCHAP and Active Directly source works as needed and no errors comes at all. And I have a working appliance for guests and self-registration settings which is working good without installing any additional certificates. 

Original Message:
Sent: Jul 25, 2024 12:20 PM
From: GorazdKikelj
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi Julia. 

It was nice to meet you in Las Vegas. Herman was faster than me in response :-) 

You need to change Address field to the used certificat's CN.

On Instant the factory certificate by default has CN: securelogin.arubanetworks.com, 

Usually you want to replace this certificate with publicly signed cert and you need to provide correct CN from this publicly signed cert to Address field.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jul 25, 2024 05:38 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Already tryed but no result unfortunately.

In Access Tracker I see that Clearpass successfully gets all attributes from AD, and needed role is assigned.

As I said the same authentication setup works perfecltly when I change Vendor on web login page via guest. Also it works fine with other Remote AP with no Instant mode.

My current web login page 

Original Message:
Sent: Jul 25, 2024 04:40 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 25, 2024 03:13 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you mean this attribute?

Original Message:
Sent: Jul 25, 2024 02:50 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

What is your AD query for userAccountControl?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 25, 2024 02:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

Original Message:
Sent: Jul 24, 2024 07:05 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

this is what he is referring to

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 24, 2024 09:04 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 24, 2024 05:44 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

Original Message:
Sent: Jul 23, 2024 04:31 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 23, 2024 03:40 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Hi Julia. 

When I implement a captive portal between Clearpass and APs Aruba:

• Always use a public Cert and not use self-signed certificate.
• Import a wildcard  ( *.company.com) into AP and assign as a Captive Portal certificate  
  • OR buy a cheap public certificate with the next syntaxis: captiveportal-login.company.com . Import into AP and assign as a Captive Portal certificate.
  • When I tested securelogin.company.com, it didn't work.
• In web log editor, Address attribute use:  captiveportal-login.company.com.
• For the guest services test using a template.

With these steps, generally we were implementing captive portal without issues. 

I hope this help you.

FC

Original Message:
Sent: Jul 27, 2024 07:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, thank you for the response. Unfortunately I cannot open a TAC case, because of the expired Support Contract. 

Thank you also for the reply Gorazd!

For now it is impossible to install some specified public certificate. Because we have only the one with general CN=*.companyname.com. I've tried to install it but get more certificate errors.

I've tried also to get around this by issuing the self-singed certificate with the name like CN=securelogin.companyname.com, adding this to my IAP as the one for my captive portal,  and then adding an issuing CA to the trusted list for my device from which I test connection to SSID. Also I've changed address to securelogin.companyname.com in the Weblogin editor.

From browser logs I see that everything is ok with the certificate acceptance ( it is seen as trusted), but that does not solve the problem. Got the same error in my ClearPass logs. And as the user I see the login page over and over again.

So I don' think it is a certificate issue. Because as soon as I change vendor setting to Web based Clearpass Authentication, policy with the same method MSCHAP and Active Directly source works as needed and no errors comes at all. And I have a working appliance for guests and self-registration settings which is working good without installing any additional certificates. 

Original Message:
Sent: Jul 25, 2024 12:20 PM
From: GorazdKikelj
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi Julia. 

It was nice to meet you in Las Vegas. Herman was faster than me in response :-) 

You need to change Address field to the used certificat's CN.

On Instant the factory certificate by default has CN: securelogin.arubanetworks.com, 

Usually you want to replace this certificate with publicly signed cert and you need to provide correct CN from this publicly signed cert to Address field.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jul 25, 2024 05:38 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Already tryed but no result unfortunately.

In Access Tracker I see that Clearpass successfully gets all attributes from AD, and needed role is assigned.

As I said the same authentication setup works perfecltly when I change Vendor on web login page via guest. Also it works fine with other Remote AP with no Instant mode.

My current web login page 

Original Message:
Sent: Jul 25, 2024 04:40 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 25, 2024 03:13 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you mean this attribute?

Original Message:
Sent: Jul 25, 2024 02:50 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

What is your AD query for userAccountControl?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 25, 2024 02:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

Original Message:
Sent: Jul 24, 2024 07:05 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

this is what he is referring to

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 24, 2024 09:04 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 24, 2024 05:44 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

Original Message:
Sent: Jul 23, 2024 04:31 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 23, 2024 03:40 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

If you get a public trusted certificate securelogin.yourcompany.com for your APs, that should work without a problem. There is no need for specific captiveportal-login; that is just the name chosen when you import a wildcard certificate.

But in ClearPass Guest the address field should point to the first SAN value (typically same as the CN) as used in the certificate that you imported in the AP, so if it's securelogin.youcompany.com, put that in, if it's abc.yourcompany.com, use that, if it is *.yourcompany.com or captiveportal-login.yourcompany.com, use the latter.

If your APs are managed by Aruba Central, there is an 'aruba default' certificate that you can apply which has the name: securelogin.hpe.com.

Hi Julia. 

When I implement a captive portal between Clearpass and APs Aruba:

• Always use a public Cert and not use self-signed certificate.
• Import a wildcard  ( *.company.com) into AP and assign as a Captive Portal certificate  
  • OR buy a cheap public certificate with the next syntaxis: captiveportal-login.company.com . Import into AP and assign as a Captive Portal certificate.
  • When I tested securelogin.company.com, it didn't work.
• In web log editor, Address attribute use:  captiveportal-login.company.com.
• For the guest services test using a template.

With these steps, generally we were implementing captive portal without issues. 

I hope this help you.

FC

Original Message:
Sent: Jul 27, 2024 07:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, thank you for the response. Unfortunately I cannot open a TAC case, because of the expired Support Contract. 

Thank you also for the reply Gorazd!

For now it is impossible to install some specified public certificate. Because we have only the one with general CN=*.companyname.com. I've tried to install it but get more certificate errors.

I've tried also to get around this by issuing the self-singed certificate with the name like CN=securelogin.companyname.com, adding this to my IAP as the one for my captive portal,  and then adding an issuing CA to the trusted list for my device from which I test connection to SSID. Also I've changed address to securelogin.companyname.com in the Weblogin editor.

From browser logs I see that everything is ok with the certificate acceptance ( it is seen as trusted), but that does not solve the problem. Got the same error in my ClearPass logs. And as the user I see the login page over and over again.

So I don' think it is a certificate issue. Because as soon as I change vendor setting to Web based Clearpass Authentication, policy with the same method MSCHAP and Active Directly source works as needed and no errors comes at all. And I have a working appliance for guests and self-registration settings which is working good without installing any additional certificates. 

Original Message:
Sent: Jul 25, 2024 12:20 PM
From: GorazdKikelj
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi Julia. 

It was nice to meet you in Las Vegas. Herman was faster than me in response :-) 

You need to change Address field to the used certificat's CN.

On Instant the factory certificate by default has CN: securelogin.arubanetworks.com, 

Usually you want to replace this certificate with publicly signed cert and you need to provide correct CN from this publicly signed cert to Address field.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jul 25, 2024 05:38 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Already tryed but no result unfortunately.

In Access Tracker I see that Clearpass successfully gets all attributes from AD, and needed role is assigned.

As I said the same authentication setup works perfecltly when I change Vendor on web login page via guest. Also it works fine with other Remote AP with no Instant mode.

My current web login page 

Original Message:
Sent: Jul 25, 2024 04:40 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 25, 2024 03:13 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you mean this attribute?

Original Message:
Sent: Jul 25, 2024 02:50 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

What is your AD query for userAccountControl?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 25, 2024 02:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

Original Message:
Sent: Jul 24, 2024 07:05 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

this is what he is referring to

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 24, 2024 09:04 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 24, 2024 05:44 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

Original Message:
Sent: Jul 23, 2024 04:31 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 23, 2024 03:40 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?

Thenk you all! If the key is in public certificate It takes some time for me to organize the purchase of one. I will come back later then with an update. 

Original Message:
Sent: Aug 01, 2024 09:34 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

If you get a public trusted certificate securelogin.yourcompany.com for your APs, that should work without a problem. There is no need for specific captiveportal-login; that is just the name chosen when you import a wildcard certificate.

But in ClearPass Guest the address field should point to the first SAN value (typically same as the CN) as used in the certificate that you imported in the AP, so if it's securelogin.youcompany.com, put that in, if it's abc.yourcompany.com, use that, if it is *.yourcompany.com or captiveportal-login.yourcompany.com, use the latter.

If your APs are managed by Aruba Central, there is an 'aruba default' certificate that you can apply which has the name: securelogin.hpe.com.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 31, 2024 01:52 PM
From: FerC
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi Julia. 

When I implement a captive portal between Clearpass and APs Aruba:

• Always use a public Cert and not use self-signed certificate.
• Import a wildcard  ( *.company.com) into AP and assign as a Captive Portal certificate  
  • OR buy a cheap public certificate with the next syntaxis: captiveportal-login.company.com . Import into AP and assign as a Captive Portal certificate.
  • When I tested securelogin.company.com, it didn't work.
• In web log editor, Address attribute use:  captiveportal-login.company.com.
• For the guest services test using a template.

With these steps, generally we were implementing captive portal without issues. 

I hope this help you.

FC

Original Message:
Sent: Jul 27, 2024 07:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, thank you for the response. Unfortunately I cannot open a TAC case, because of the expired Support Contract. 

Thank you also for the reply Gorazd!

For now it is impossible to install some specified public certificate. Because we have only the one with general CN=*.companyname.com. I've tried to install it but get more certificate errors.

I've tried also to get around this by issuing the self-singed certificate with the name like CN=securelogin.companyname.com, adding this to my IAP as the one for my captive portal,  and then adding an issuing CA to the trusted list for my device from which I test connection to SSID. Also I've changed address to securelogin.companyname.com in the Weblogin editor.

From browser logs I see that everything is ok with the certificate acceptance ( it is seen as trusted), but that does not solve the problem. Got the same error in my ClearPass logs. And as the user I see the login page over and over again.

So I don' think it is a certificate issue. Because as soon as I change vendor setting to Web based Clearpass Authentication, policy with the same method MSCHAP and Active Directly source works as needed and no errors comes at all. And I have a working appliance for guests and self-registration settings which is working good without installing any additional certificates. 

Original Message:
Sent: Jul 25, 2024 12:20 PM
From: GorazdKikelj
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi Julia. 

It was nice to meet you in Las Vegas. Herman was faster than me in response :-) 

You need to change Address field to the used certificat's CN.

On Instant the factory certificate by default has CN: securelogin.arubanetworks.com, 

Usually you want to replace this certificate with publicly signed cert and you need to provide correct CN from this publicly signed cert to Address field.

Best, Gorazd

------------------------------
Gorazd Kikelj
MVP Guru 2024

Original Message:
Sent: Jul 25, 2024 05:38 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Already tryed but no result unfortunately.

In Access Tracker I see that Clearpass successfully gets all attributes from AD, and needed role is assigned.

As I said the same authentication setup works perfecltly when I change Vendor on web login page via guest. Also it works fine with other Remote AP with no Instant mode.

My current web login page 

Original Message:
Sent: Jul 25, 2024 04:40 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Cannot select authentication method means that your AP is not configured for MSCHAP; try adding PAP into the authentication methods...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 25, 2024 03:13 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you mean this attribute?

Original Message:
Sent: Jul 25, 2024 02:50 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

What is your AD query for userAccountControl?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 25, 2024 02:36 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

I have tried this before, but got an error as follows.

In log file I see this error

ERROR RadiusServer.Radius - rlm_auth_check: Auth-Type not set or authentication methods have not been configured. Rejecting it.

This is the authentication method. And it works for other services used in ClearPass and for the previous configuration with other Vendor settings everything was fine. 

Original Message:
Sent: Jul 24, 2024 07:05 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

this is what he is referring to

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 24, 2024 09:04 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Do you have for a specific reason the Vendor on 'Captive portal with ClearPass Webauthentication', instead of Aruba?

I think the issue lies there... your enforcement in the WebAuth is to update the Role attribute in the Endpoint to the obfuscated value, but that doesn't control anything on the AP. Unless there is a reason for the Vendor not being Aruba, I would put it back to Aruba and then controller initiated if you have a public certificate for your IAPs (Central has one included) otherwise server initiated with CoA. 

You may be able to make this setup work as well, but then you would need to trigger a CoA (not Post Auth, or in addition to), but that does not seem to be an option as I don't see Accounting data in your Access Tracker. I would setup accounting as well.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 24, 2024 05:44 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Herman, nice to meet you here. I've seen a lot of your Aruba ClearPass Workhop videos. They are really helpfull.

For now I've double checked my ClearPass services and role name on both ClearPass and IAP.

May be the selected services are wrong, but according to Access Tracker they have choosen corretly by the type of request.  

Here some screenshots. Some sensitive information was hidden. But the role name is exatly the same everywhere.

1 service for Raduis request

2 service for Webauth

Here is my web login page

And logs from the Access Tracker

Original Message:
Sent: Jul 23, 2024 04:31 AM
From: Herman Robers
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

It may help to check the controller initiated guest flow from this video and with the developer tools check where your guest process goes wrong.

Do you see in ClearPass, in order: MAC Auth (with reject or pre-auth role returned), WebAuth (optional if pre-auth check in your guest portal is enabled for application or RADIUS), then RADIUS authentication for the guest credentials?

If you see a successful RADIUS login for the credential post to your AP, and role returned to the AP, double-check that the role exactly matches one of the roles that you configured on the AP. If there is no such role, the pre-auth role remains active.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jul 23, 2024 03:40 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Yes, you are right about the certificates.

For the user role it is configured on IAP with the same name as on ClearPass attribute.

Also I am triyng to find some debug command for IAP just to see what happened there while login proccess, but no success. Commads that I found just show things like client status, some tech info or so, nothing like realtime debug. 

Original Message:
Sent: Jul 23, 2024 02:45 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

ok, I am assuming ClearPass has a public HTTPS cert for and you have public HTTP cert for IAP's captive portal.

if thats the case, is the user-role that you are sending back from ClearPass configured on IAP?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:30 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

So here my role for now. But no result.

It just keeps constantly loading logon page after I add my credentials. 

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit

rule any any match 17 67 68 permit
rule any any match 17 53 53 permit
rule any any match 17 67 69 permit
rule any any match any any any deny

Original Message:
Sent: Jul 23, 2024 02:19 AM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

for your pre-auth role, you need to allow DHCP and DNS as well.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 23, 2024 02:10 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Here is my pre-auth role  on IAP ( I've changed ip to letters)

wlan access-rule Test-logon
index 6
rule A.A.A.A 255.255.255.255 match 6 443 443 permit
rule B.B.B.B 255.255.255.255 match 6 443 443 permit
rule any any match any any any deny

And External Captive portal

wlan external-captive-portal CPPM1
server guest-cp.xxx.com
port 443
url "/guest/iap_test.php"
auth-text ""
redirect-url "https://google.com"
auto-whitelist-disable
https

Original Message:
Sent: Jul 22, 2024 08:39 PM
From: ariyap
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

generally the could point to the pre-auth user-role not configured correctly. Share the screenshot for your pre-auth user-role and External Captive Portal in Instant AP.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jul 22, 2024 03:47 AM
From: Julia
Subject: Stuck in login page when trying to authorize via Clearpass web page on Instant AP

Hi all!

I have an Instant AP OS v 8.7.1.6 and ClearPass with web login page configured.

I need to authorize users via Active Directory using tis web page, so I added RADIUS check and RADUIS service on my ClearPass.

In ClearPass Access Tracker I see that everithing is fine, authorization is successfull,  and ClearPass send needed role attribute (Radius:Aruba:Aruba-User-Role) in Enforcement Policy Profile to IAP. 

But on IAP my device do not get the appropriate role, it just keep the prelogin role with no Internet Access. The client phone keeps constantly loading login page asking for login and password. 

Could you please advice what can I check?