Requirement:You might want to integrate ClearPass with Adtran Bluesocket Wireless for guest authentication where the captive portal page would be hosted on ClearPass and the authentication on the captive portal is handled by ClearPass.
Solution:This article covers the configuration required on Clearpass in detail and also the configuration required on BlueSocket to integrate ClearPass and Bluesocket for guest authentication
Configuration:We need to create a new page on ClearPass dedicated for BlueSocket, it can be either a Self registration or a web login. The NAS vendor settings are going to be different for integrating with BlueSocket on ClearPass, the other settings like fields in Self registration page, pre-auth check etc. are no different from regular guest page configuration.
In the Vendor settings you need to choose Custom Settings as shown in the screenshot below
When we choose custom settings we would be prompted for some additional fields like Submit URL etc. among others. The Submit URL needs to be as below
https://<BlueSocket IP Address or Host name>/login.pl?which_form=reg&source={$extra_fields.source}&macaddr={$extra_fields.mac|escape}&domain_id={$extra_fields.domain_id}&login_form_id={$extra_fields.login_form_id}&bs_name={$username}&bs_password={$password}
All the parameters with the extra_fields suffix are captured from the initial redirect URL so they are supposed to be appended by BlueSocket in the redirect URL. ClearPass can capture the information appended in the URL and make the client relay the information needed for BlueSocket to send the captive portal login request to ClearPass as a Radius request.
Essentially from ClearPass we are making the client send the required data (data required by BlueSocket) along with the username and password over HTTPS to the BlueSocket and the BlueSocket will then generate a Radius request and send it to the Radius Server which is going to be ClearPass. ClearPass would then return a Radius Accept or any other attributes that are needed for BlueSocket resulting in the change of role of the user allowing them to access the resources they are supposed to. We will go over the Radius service configuration later in this article.
The next piece of configuration is the Submit Method which needs to be GET as shown in the screenshot below
The Authentication setting in the page can be set to the desired one. The other important settings on the page relevant to this BlueSocket integration are the Username field and Password field which can be left to the default at username and password.
Those are settings that are different from regular guest page configuration in a BlueSocket Integration.
Please find the relevant settings on BlueSocket for this captive portal integration with ClearPass below
You can start by creating an Authentication server of type RadiusWebAuthServer with the ClearPass IP address and shared secret which would be used by BlueSocket for sending Web authentication requests.
Once we create the authentication server we need to create a new form on BlueSocket as shown in the screenshot below
The Base URL of external server is the captive portal login page url which is hosted on ClearPass.
Once the Login Form is created you can create a new SSID and map the login form created earlier.
The Role shown above "Un-registered" is the role that can give the user access to the captive portal page on ClearPass and also allow DHCP and DNS.
As per the configuration above the destination "guest" is the destination that encompasses ClearPass.
We can also configure the URL redirect to take the user to that destination after authentication as per the screenshot below
Once all this configuration done the client should be redirected to the captive portal page on ClearPass after connecting to the Guest SSID.
When the user submits the login on the page ClearPass would receive a Radius request that contains the username and password of the client.
ClearPass needs to be configured to handle that Radius request and return the appropriate attributes to put the user in the right role on the BlueSocket Controller.
Firstly we need to add the Blue Socket Device on ClearPass under Configuration>>Network >>Device>>Add Device as shown in the screenshot below
The vendor type needs to be IETF.
Once the device is added we need to create a new service on ClearPass of type Radius Enforcement (Generic).
The service categorization rules could be as shown below. The BlueSocket device sends the SSID name in a Radius attribute called "Called-Station-Id" so we could use that to categorize requests from that specific SSID.
The authentication method needs to PAP and the appropriate authentication sources also need to be added
The enforcement policies and profiles can be configured as per requirement. By default ClearPass would return a Radius Accept if the authentication goes through which should put the client in the post authentication role.
Once we are done with all this configuration BlueSocket wireless users can successfully redirect to the captive portal page hosted and authenticate on the page and then be redirected out to the internet.
VerificationWe should be able to see a Radius request hit ClearPass once the user authenticates on captive portal page on the BlueSocket Wireless SSID. If we return a Radius Accept in response to that Radius request the user would be put in the post authentication role on BlueSocket