Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
Occasional Contributor I

Aruba controller wireless with ClearPass-hosted captive portal

Hello everyone,

 

I am trying to setup guest wifi network with CPPM-hosted captive portal and (after a lot of pain) I got to the point where:

1) client logs in to the SSID (no password)

2) is redirected to the captiveportal

3) puts in credentials (authentication is done against the local guest user DB on clearpass)

a) credentials not ok -> captive portal shows incorrect username and pass
b) credentials ok -> browser is redirecting back to the captive portal and I am in an endless loop

 

also on the controller I see the user being still with the guest-logon role so to me it looks like I have problem with sending the correct user role back to the controller, which I am on the other hand not able to configure in clearpass since it`s webauth and not radius

 

I am clearly missing few configuration items but no idea what it is and the built-in wizards in both controller and clearpass are completely useless

 

screenshots of the existing configurations are attached, any help is greatly appreciated

Highlighted
Super Contributor II

Re: Aruba controller wireless with ClearPass-hosted captive portal

Have you tried returning a proper role back to the controller in the enforcement profile? And check what you’re default guest role is on the controller. This is the role that’s assigned if the auth is a success but a role does not get returned with the auth response. The returned or default role should be something like guest and not guest-logon. That would keep returning you back to a captive portal.

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
Occasional Contributor I

Re: Aruba controller wireless with ClearPass-hosted captive portal

hi dustin,

 

- it`s in the screenshots but basically initial role is guest-logon and default role is guest

- the thing is with the webauth service type you are not able to select anything like "aruba-user-role=guest" in the enforcement profiles like you can in the RADIUS types

Highlighted
Super Contributor II

Re: Aruba controller wireless with ClearPass-hosted captive portal

Do you have a radius guest authentication service set up? On the controller you would add the clearpass server as a radius authentication server under the authentication profile, and when the user authenticates against the web auth, those credentials get posted to the secure login page. Fro there the controller will authenticate those credentials against clearpass, and should match the radius service you configure. The. You should be able to return radius CoA and attributes.

 

 

Dustin Burns
Senior Mobility and Access Engineer @WEI
ACMX #509 | ACCX #1272 | ACSP | ACDA | ACEP | CCNP | CCDP | CCNA Wireless

If my post address your queries, give kudos and accept as solution!
Highlighted
MVP Expert

Re: Aruba controller wireless with ClearPass-hosted captive portal

Have you replaced the controller captive portal profile default certificate with a well-known third party cert ?

Make sure that the captiveportal acl position is 3 under the guest logon role

 

 

 

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Occasional Contributor I

Re: Aruba controller wireless with ClearPass-hosted captive portal

Dustin - again it`s all in the screenshots, but the problem is the authentication request comes in to clearpass as webauth and not as radius, therefore the rest is pretty much irrelevant (unless I am able to change it to come in as radius, but for now I have no idea how to achieve it)

Highlighted
Occasional Contributor I

Re: Aruba controller wireless with ClearPass-hosted captive portal

victor - the captive portal is hosted on clearpass not on the controller. cert has not been replaced yet, so it gives me a warning when I am redirected to captive portal but that should not be the root cause?

 

to be honest I am not quite sure I understand the other point, this is the config from controller:

 

user-role guest-logon
captive-portal "wifi_guest_authentication_profile"
access-list session ra-guard
access-list session logon-control
access-list session captiveportal
access-list session v6-logon-control
access-list session captiveportal6

 

and the ACLs:

ip access-list session ra-guard
ipv6 user any icmpv6 rtr-adv deny

 

ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
any host 10.10.2.200 any permit -> this is the clearpass IP

 

ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
any host 10.10.2.200 any permit

 

the 2 IPv6 ACLs are irrelevant as we are using IPv4 only. also the aaa details:

 

aaa authentication captive-portal "wifi_guest_authentication_profile"
server-group "CPPM_svg"
no logout-popup-window
login-page "/guest/captiveportal.php"
no enable-welcome-page
show-acceptable-use-policy

Highlighted
MVP Expert

Re: Aruba controller wireless with ClearPass-hosted captive portal

Please move place his ACL “access-list session captiveportal” over the logon-control

 

In order for the Captive Portal authentication to work properly, you need to replace the controller default certificate (securelogin.arubanetworks.com) :

https://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

 

Also make sure you create an alias for the ClearPass servers and whitelist the servers under your captive portal profile or the logon role allowing HTTP/HTTPs

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Occasional Contributor I

Re: Aruba controller wireless with ClearPass-hosted captive portal

Hello Victor,

 

thanks for the inputs.

 

1) I updated clearpass cert with one trusted by the client and now https warnings are gone

2) with the original order of ACLs in the guest-logon user role nothing changes - user is redirected to captive portal, enters credentials, clearpass receives it as "webauth" type, says it`s accepted but user is still showing as guest-logon on the controller and is redirected back to the captiveportal login page

-> therefore I believe the problem is with the setup of clearpass service that should return some response to controller, but the options are very limited in the webauth service type so I have no idea how to fix it. Also on the firewall I don`t see that clearpass would initiate CoA back to the controller...

 

3) if I change the order of ACLs in the controller, I get a certificate error (and based on the cert it`s showing it looks like I am not redirected to clearpass but to the controller) and then it just keeps looping in the browser between ".../captiveportal.php" and ".../captiveportal.php?cmd=login&mac=xxx" and I don`t even get the login prompt in the browser

 

ACLs are here:

 

ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny
any host 10.10.2.200 any permit

 

ip access-list session captiveportal
user alias controller svc-https dst-nat 8081
user any svc-http dst-nat 8080
user any svc-https dst-nat 8081
user any svc-http-proxy1 dst-nat 8088
user any svc-http-proxy2 dst-nat 8088
user any svc-http-proxy3 dst-nat 8088
any host 10.10.2.200 any permit

 

4) I don`t fully understand the last point about creating an alias but based on the ACLs and what I see on the client and firewall I am quite sure the client has access to the clearpass without any problem

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: