Security

Hello everyone,

I am trying to setup guest wifi network with CPPM-hosted captive portal and (after a lot of pain) I got to the point where:

1) client logs in to the SSID (no password)

2) is redirected to the captiveportal

3) puts in credentials (authentication is done against the local guest user DB on clearpass)

a) credentials not ok -> captive portal shows incorrect username and pass
b) credentials ok -> browser is redirecting back to the captive portal and I am in an endless loop

also on the controller I see the user being still with the guest-logon role so to me it looks like I have problem with sending the correct user role back to the controller, which I am on the other hand not able to configure in clearpass since it`s webauth and not radius

I am clearly missing few configuration items but no idea what it is and the built-in wizards in both controller and clearpass are completely useless

screenshots of the existing configurations are attached, any help is greatly appreciated

Have you tried returning a proper role back to the controller in the enforcement profile? And check what you’re default guest role is on the controller. This is the role that’s assigned if the auth is a success but a role does not get returned with the auth response. The returned or default role should be something like guest and not guest-logon. That would keep returning you back to a captive portal.

hi dustin,

- it`s in the screenshots but basically initial role is guest-logon and default role is guest

- the thing is with the webauth service type you are not able to select anything like "aruba-user-role=guest" in the enforcement profiles like you can in the RADIUS types

Do you have a radius guest authentication service set up? On the controller you would add the clearpass server as a radius authentication server under the authentication profile, and when the user authenticates against the web auth, those credentials get posted to the secure login page. Fro there the controller will authenticate those credentials against clearpass, and should match the radius service you configure. The. You should be able to return radius CoA and attributes.

Dustin - again it`s all in the screenshots, but the problem is the authentication request comes in to clearpass as webauth and not as radius, therefore the rest is pretty much irrelevant (unless I am able to change it to come in as radius, but for now I have no idea how to achieve it)

Have you replaced the controller captive portal profile default certificate with a well-known third party cert ?

Make sure that the captiveportal acl position is 3 under the guest logon role

victor - the captive portal is hosted on clearpass not on the controller. cert has not been replaced yet, so it gives me a warning when I am redirected to captive portal but that should not be the root cause?

to be honest I am not quite sure I understand the other point, this is the config from controller:

user-role guest-logon
captive-portal "wifi_guest_authentication_profile"
access-list session ra-guard
access-list session logon-control
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6

and the ACLs:

ip access-list session ra-guard
ipv6 user any icmpv6 rtr-adv deny

ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
any host 10.10.2.200 any permit -> this is the clearpass IP

ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
any host 10.10.2.200 any permit

the 2 IPv6 ACLs are irrelevant as we are using IPv4 only. also the aaa details:

aaa authentication captive-portal "wifi_guest_authentication_profile"
server-group "CPPM_svg"
no logout-popup-window
login-page "/guest/captiveportal.php"
no enable-welcome-page
show-acceptable-use-policy

Please move place his ACL “access-list session captiveportal” over the logon-control

In order for the Captive Portal authentication to work properly, you need to replace the controller default certificate (securelogin.arubanetworks.com) :

https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

Also make sure you create an alias for the ClearPass servers and whitelist the servers under your captive portal profile or the logon role allowing HTTP/HTTPs

Hello Victor,

thanks for the inputs.

1) I updated clearpass cert with one trusted by the client and now https warnings are gone

2) with the original order of ACLs in the guest-logon user role nothing changes - user is redirected to captive portal, enters credentials, clearpass receives it as "webauth" type, says it`s accepted but user is still showing as guest-logon on the controller and is redirected back to the captiveportal login page

-> therefore I believe the problem is with the setup of clearpass service that should return some response to controller, but the options are very limited in the webauth service type so I have no idea how to fix it. Also on the firewall I don`t see that clearpass would initiate CoA back to the controller...

3) if I change the order of ACLs in the controller, I get a certificate error (and based on the cert it`s showing it looks like I am not redirected to clearpass but to the controller) and then it just keeps looping in the browser between ".../captiveportal.php" and ".../captiveportal.php?cmd=login&mac=xxx" and I don`t even get the login prompt in the browser

ACLs are here:

ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
any host 10.10.2.200 any permit

ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
any host 10.10.2.200 any permit

4) I don`t fully understand the last point about creating an alias but based on the ACLs and what I see on the client and firewall I am quite sure the client has access to the clearpass without any problem