AAA, NAC, Guest Access & BYOD

SYMPTOM :

A client can successfully reach the captive portal page such as ClearPass Guest captive portal. They can also successfully post their credentials on the ClearPass Guest page but when posting their credentials to the controller, the login process breaks and the client's browser gets a "404 - Page not found" like message. At this page, the URL in the client's browser shows the controller IP or DNS name followed by "/cgi-bin/login?errmsg=Access%20denied".

 PROBLEM :

The "Access Denied" message is originating from the controller. The controller received the captive portal login request but determined that the client is not allowed for web authentication.

 SOLUTION :

The most common issue is that the captive portal is instructing the client to post authentication to the wrong controller. During this situation, the controller would reject the client's request because the client isn't in the controller's user tabl. For this problem, check the "Address" setting in ClearPass Guest under web login or self-registration. For most deployments, securelogin.arubanetworks.com can be used.

The second cause can occur if the logon ACL is improperly defined. The "controller" ACL for the logon role must have "dst-nat 8081" instead of "permit".

BAD:
user alias controller svc-https permit
user alias controller svc-http permit (needed only if HTTP authentication is desired and enabled)

GOOD:
user alias controller svc-https dst-nat 8081
user alias controller svc-http dst-nat 8080 (needed only if HTTP authentication is desired and enabled)

 EXPLANATION :

The controller is expecting the authentication post from the client to "cgi-bin/login" on port 8081 (or 8080) since the controller's web server serves clients though these ports. When "permit" access is given from the client to the controller, the authentication post from the client goes directly on port 80. The controller doesn't recognize the session on that port and therefore gives "Access Denied" error to the client.