Security

Hi,

We are in the process of swapping all of our Dell branded Aruba gear for Aruba branded gear.

This time around we have decided to try out the IAPs and drop the controller (mainly due to cost).

I am currently working on the Guest portion and have a few questions/problems regarding it.

For the VLAN, I used the static assignment. Is this the right approach if my pre-auth and auth VLANs will be the same?

When I connect to the SSID I am getting redirect properly and hitting the appropriate Captive Portal page. When I attempt to sign in though the page just keeps looping. When I was using the controller I set the Address field for the web login page on the CPPM to captiveportal-login.mydomain.com. I had a wildcard cert loaded on the controller so there was no cert error when the redirection happend. 

If I use captiveportal-login.mydomain.com with the IAP I receive a DNS error, and no cert error. I haven't loaded an new certs onto the IAP yet. On the preauth-guest role I have it configured just with HTTP and HTTPS access to the ClearPass itself as per a YouTube video I was following.

 Am I missing a configuration on the IAP itself or perhaps on the user role? 

Just to confirm, the IAPs don't have anything similar to "netdestination" like the controllers do, do they? Based on the CLI PDF it doesn't look like it, but I just wanted to confirm.

Sorry for all the dumb questions. I honestly didn't expect the IAPs to be that different from that of a controller based environment.

Any help would be greatly appreciated.

Cheers

Hi Bourne,

For the VLAN, I used the static assignment. Is this the right approach if my pre-auth and auth VLANs will be the same?

Sure, it can be the same VLAN, the pre-auth role will take care of restricting all access prior to sucessful auth. Just make sure it only allows https to CPPM and DNS + DHCP then you're good

If you haven't loaded any cert on the IAP now, then you should enter securelogin.arubanetworks.com (since this is the CN of the factory cert) in the address field.

As for the netdestination, there is no such feature in instant as far as I know !

Hope this helps :)

Hi @OverClock,

Thank you for the reply.

Is there another method of providing the VLAN for the pre-auth role besides statically setting it? I believe I can use the role itself to assign the role.

Any suggestions on restricting Guest access post-auth? I guess there is no way to avoid just denying access to all of our internal networks?

Doh! Is a certiciate replacement a prerequisite for the captiveportal-login to work? If so I shouldn't have known that.

I did actually try using securelogin.arubanetworks.com, but still received an issue on the redirect. I will take a closer look tomorrow!

Thank you again for the reply!

Cheers

Hi Bourne, you could easily have the pre-auth in a separate VLAN but the only concern here is that it's layer 3 authentication with a captive portal which means you would need to terminate client session after successful auth to allow it to re DHCP and get IP in new VLAN with new role once authenticated.

Most of the time you want to have 2 roles in same VLAN for guests :

pre-auth = really restricted with only required access to reach CPPM etc
post-auth = returned by CPPM to the IAP following succesful auth and gives full internet access (or whatever you decided)

Replacing certificate is surely a best practice but not a prerequisite. Are you perhaps trying to browse an HTTPS web page before getting redirected ? If so this is a normal HSTS behaviors on newer web browsers. Try browsing http://cnn.com and see what it does.

Cheers,

Hi @Overclock,

Thank you for your reply.

I managed to get it working now.

I found something strange though, during the Captive Portal Guest login there are two different RADIUS requests sent to the ClearPass.

One request is handled by the Publisher, while the other is handled by the Subscriber.

Each request is different in the information that is provided.

The first one that is handled by the Publisher seems to indiciate the request is Ethernet based as the NAS-Port-Type is 15.

The second request that is handled by the Subscriber indicates the request as a wireless request as the NAS-Port-Type is 19.

I am just not sure why I would be seeing two different requests?

What are the requirements for the certificate for the Captive Portal Server? I am assuming this is the certificate that we want to replace? It wants a pem, cer, or crt. If my memory is correct, you cannot include the private key in these cert types. Does the cert require the cert bundle? And can this certiciate be a wildcard cert like it can be on the controller?

Cheers

The first one looks like it's a RADIUS-based preauth as the source address is localhost.

The reason you see 2 RADIUS requests is probably because the web login page configuration has the pre-auth check set to RADIUS method. 

As for the certificate, yes it supports wildcard. There is multiple ways/procedures, the solution of this thread explains it well and straight to the point : 

http://community.arubanetworks.com/t5/Controllerless-Networks/IAP-205-wildcard-certificate-for-replace-securelogin/m-p/278998

Hi guys,

Thank you @Overclock and @cappalli.

It looks like you were correct about the pre-auth check on the web page.

I honestly don't recall why I set this like this.

What is the benefit/drawback of doing this and not doing this?

And thank you for the link for changing the cert. That will help a lot!

Cheers

Hi Guys,

Okay I found this post that explains why you would use pre-auth check.

I will create two rules now to handle this pre-auth check accordingly.

Cheers

Just to be clear, when you're only handling guest users, you do not need an "external" pre-auth check. Just use Local.

Sorry cappalli I did not see this response regarding only needing the local.

A little bit of background on how our Guest network is setup. We are using our visitor intake system as the authenticating source for the guest network. There is an SQL connection back to the intake system that just queries for a simple ID value.

When you are saying we do not need an "external" pre-auth check, and to just use local, what setting is controling having one or the other? Would I leave the "Pre-Auth Check" the way it is and disable something else?

For the certificate, I ran the "show cert all" command and I do see my wildcard cert loaded under the "Current CP Server Certificate". I must be missing another setting.

What browser are you using ? DNS error is normal if you are using chrome and you didn't add the DNS in the SAN field of the certificate since chrome is now enforcing it as CN is subject to homograph vulnerability. 

Nearly every public CA automatically adds the common name as a SAN.

I would open a TAC case.

Sorry for my late reply.

Got caught up with some other issues.

I will open a TAC case. Thank you for your patience I really appreciate it.

There is an available firmware upgrade, not sure if there is any chance that the issue exists in the firmware itself. I will have to find time to get the upgrade done.

Thank you again!

Hi,

Just wanted to give a quick update. I finally got around to updating the firmware on the IAPs. Initially when I got them out of the box and fired them up they weren't able to check for available firmware versions so I wasn't able to upgrade. I also didn't have access to the firmware from HPE portal since I didn't have a support account yet.

Eventually the IAPs were able to check for new firmware and update to the version 6.4.4.8-4.2.4.6_58505. After upgrading the firmware, the redirect using captiveportal-login worked as expected. The firmware upgrade also fixed an issue I was having with the editing firewall rules added to the user roles that were first created on the command line.

I finally got onto the HPE support site and noticed that there is a 6.5.x.x firmware version now available. The firmware check from the IAP for some reason won't pick this version up. I plan to upgrade to this version though.

Thank you for everyones help it is much appreciated!

---

@cappalli wrote:

Just to be clear, when you're only handling guest users, you do not need an "external" pre-auth check. Just use Local.

---

Hi cappalli,

Sorry to pester you on this point, I was just wondering if you could elborate a little on the "external" pre-auth versus just the local auth?

Is the "external" pre-auth happening because I configured the Guest SSID with a pre-auth role? Or does it occur because of how I have the web login page configured?

External meaning something outside the guest database. For guest workflows that leverage the guest user database, the pre-auth check should be local.

I see what you mean now.

This might be why I am receiving the pre-auth check.

Currently, we are not using the Guest portion of ClearPass. We use an external database from our Visitor intake system to authenticate our users. Would this explain why we have the dual request?

Hi,

So I replaced the certificate and reloaded the IAP. I modified the "Address" setting on the web login page. During the login process I receive a DNS error from the "captiveportal-login.mydomain.com".

The certificate I loaded was a wildcard cert for my domain, same one we used on the controller. As I understand the controllers themselves know to resolve captiveportal-login.*.com to itself, do the IAPs do the samething?

Cheers

Yes, it behaves the same way. If you run ' show certs all ', do you see the wildcard cert under "CP Server Certificate"?