Security

i just replaced a 3600 Controller with a 7030 becaue I needed to add more APs than the 3600 would support.

I have everything else up and running, but for some reason I can't get the controller to redirect to my CPPM server for guest authentication.  I changed the Login Page on the under the CP profile to the Weblogin configured on the CPPM, but whenever I test the Captive Portal, even from the controller, it tries to go here:

https://10.254.254.236/cgi-bin/login?profile=Clearpass-Versatile-Guest

 

rather than here:

https://clearpass.versacomm.com/guest/Versatile_Guest_Network.php?

 

which is where it is supposed to go.

 

10.254.254.236 is the controller's IP address and Clearpass-Versatile-Guest is the name of the CP profile on the controller.  The Clearpass is at 192.168.10.145 and it still works from the old 3600.  I have to be missing something simple, but I can't for the life of me figure out what it is.

 

Is the captive portal profile selected in your guest logon role? 

Sent from Nine

Can you share the ACLs under CAPTIVE-PORTAL-ROLE (INITIAL ROLE)

Here are the initial Role and the ACLs associated:

 

user-role ClearPass-Guest-Login
 captive-portal "Clearpass-Versatile-Guest"
 dpi disable
 web-cc disable
 access-list session global-sacl
 access-list session apprf-ClearPass-Guest-Login-sacl
 access-list session Clearpass-Guest-Weblogin
 access-list session logon-control
 access-list session captiveportal

 
ip access-list session captiveportal
captiveportal
-------------
Priority  Source  Destination  Service          Application  Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------          -----------  ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    controller   svc-https                     dst-nat 8081                           Low                                                           4
2         user    any          svc-http                      dst-nat 8080                           Low                                                           4
3         user    any          svc-https                     dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1               dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2               dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3               dst-nat 8088                           Low                                                           4


ip access-list session logon-control
logon-control
-------------
Priority  Source  Destination              Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------              -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    any                      udp 68                 deny                             Low                                                           4
2         any     any                      svc-icmp               permit                           Low                                                           4
3         any     any                      svc-dns                permit                           Low                                                           4
4         any     any                      svc-dhcp               permit                           Low                                                           4
5         any     any                      svc-natt               permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any                    deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any                    deny                             Low                                                           4

ip access-list session Clearpass-Guest-Weblogin
Clearpass-Guest-Weblogin
------------------------
Priority  Source  Destination       Service    Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------       -------    -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         user    ClearPass_Server  svc-http                permit                           Low                                                           4
2         user    ClearPass_Server  svc-https               permit                           Low                                                           4

 

The 2 addtional ACLs at the top (global-sacl and the AppRF acl_ have no rules inthe them but I get an error when I try to delete them from the role.

You can't delete those .

Those are use for AppRF rules

- Make sure that if you are using ClearPass VIP in your Guest URL that IP address is included in your ClearPass_Server netdestination

- Also verify that the https://clearpass.versacomm.com/guest/Versatile_Guest_Network.php URL is configured as your Login Page

- From the Guest network can you reach the clearpass.versacomm.com ?

I checked and the the netdestination is set to 192.168.10.145 which is the Clearpass server and the URL is correct.

When I connected to the guest network, I can ping the controller but I cannot ping the clearpass server by either name or IP.

Do you have an IP address assigned to the Guest VLAN in the controller ?

How do you have your guest network configured?

- Routable in your internal network

- Only internal to your controller

- Or going through your DMZ

The Guest network VLAN does have an address on it, but it's not associated to a physical port or port channel on the controller.

If that network is not flowing through Internal network then apply the "ip nat inside" under that VLAN

Sent from Outlook Mobile

That was it.  I knew I was missing something simple.  Note to self, don't configure things on the fly at 3:00 am if you can avoid it.