Security

 View Only
last person joined: 8 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

WLC 9800 Guest SSID not redirecting to Guest Portal in Clearpass

This thread has been viewed 16 times
  • 1.  WLC 9800 Guest SSID not redirecting to Guest Portal in Clearpass

    Posted Sep 02, 2024 02:39 AM

    Hi All,

    We have an issue where the Guest Client (SSID in WLC9800) gets an IP from the DHCP server (in Fortigate) but it never reaches the clearpass server (from what I understand from the logs). I have followed the below procedure. Checked all firewall policies. I also double checked the Redirect ACL multiple times and do not see any issue. From the WLC i can ping the Clearpass server fine. 

    https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217931-configure-9800-wlc-and-aruba-clearpass.html#toc-hId-2126303558
    We have other Radius and Tacacs requests from the same controller to the Radius server which works fine. The issue is only with the guest ssid. 

    Logs in WLC:

    %RADIUS_AUDIT_MESSAGE-6-RADIUS_DEAD: Chassis 1 R0/0: wncd: RADIUS server x.x.x.x:1812,1813 is not responding.

    %CLIENT_EXCLUSION_SERVER-5-ADD_TO_EXCLUSIONLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: xxxx.0ffb.xxxx was added to exclusion list associated with AP Name:NY-FORUM-15, BSSID:MAC: 0000.0000.0000, reason:802.11 association failure

    %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (xxxx.0ffb.xxxx) on Interface capwap_900000bb AuditSessionID 1F0110AC00093797A393D9BF. Failure reason: Authc fail. Authc failure reason: AAA Server Down.

    %SESSION_MGR-5-FAIL: Chassis 1 R0/0: wncd: Authorization failed or unapplied for client (xxxx.0ffb.xxxx) on Interface capwap_9000011d AuditSessionID 1F0110AC00093796A393D925. Failure reason: Authc fail. Authc failure reason: AAA Server Down.



  • 2.  RE: WLC 9800 Guest SSID not redirecting to Guest Portal in Clearpass

    Posted Sep 02, 2024 06:13 AM

    Hi

    From the log you have providet it looks like the WLC can't communicate with the ClearPass server on the Radius port:

    %RADIUS_AUDIT_MESSAGE-6-RADIUS_DEAD: Chassis 1 R0/0: wncd: RADIUS server x.x.x.x:1812,1813 is not responding.

    Have you allowed the Radius traffic through the firewall and also added the WLC IP address as a Network Device with correct shared secret?

    The fact that the guest user get's an IP has nothing to do with the issue, as it's not the client that will use Radius to ClearPass, it's the WLC.

    But if you plan to have a captive portal, you must make sure the http and https ports are open from the client to ClearPass.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: WLC 9800 Guest SSID not redirecting to Guest Portal in Clearpass

    Posted Sep 05, 2024 08:55 AM

    Thank you for your input. So, the radius ports udp 1812, 1813, dns, http and https are open in fw. I am still reviewing the fw policies and wlc.

    This may be a silly question but will i see a hit to clearpass if my services are ordered wrong. In my case, I followed the documentation https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217931-configure-9800-wlc-and-aruba-clearpass.html#toc-hId-2126303558 and I have 2 services created.  Will clearpass tell me in logs if the service is denied by some other service above these 2 ? 

    Thank You!




  • 4.  RE: WLC 9800 Guest SSID not redirecting to Guest Portal in Clearpass

    Posted 27 days ago

    Make sure that the DHCP server sends the appropriate options to the guest client, especially options related to redirection servers or authentication servers.




  • 5.  RE: WLC 9800 Guest SSID not redirecting to Guest Portal in Clearpass

    Posted 26 days ago

    Can you please elaborate on this option numbers. I have a similar setup for another site which is working fine. and I am not sure what dhcp option for redirection are you referring to.