Security

Hi, are there any tutorials for doing Clearpass Captive Portal authentication (like Herman Robers does in workshop series) with ArubaOS 8 mobility controllers?

 

I tried using the simple wizard to create a external authentication portal but seems that controller wants to manage the redirection and everything. Instead I'd like the controller to send MAC auth first to CPPM, then CPPM would send back Captive Portal role is MAC is not known, and if it is known then just return guest role.

 

Currently I'm not getting the MAC authentication to CPPM at all. Not very familar with the Aruba setup so I was hoping for a guide/tutorial to explain how it should be configured on the controller side. Herman Robers' videos are great though.

 

Thanks!

Make sure you assign the L2 mac auth profile and ClearPass server group in the AAA Profile

Sent from Mail for Windows 10

Thanks, got further by adding MAC authentication under AAA profile and adding the correct servers under MAC Authentication Server Group. (Went with just the default MAC auth setting).

 

I also checked "Download Role from CPPM" from the main AAA profile level but not sure if this is needed.

 

Seems that if I have the endpoint set up properly in the CPPM, access is granted as it should (I just used default guest profile but that seems to be enough). 

 

One important command to run from mobility controller CLI is 'aaa user delete all' (or narrow it down if it's a production setup) for anyone else reading this later... have to figure out how long this AAA info is cached.

 

For unknown clients I'm still facing issues with the actual captive portal. I get the correct "jua181 guest-guest-logon" role that redirects to captive portal, and from the client I get redirected to:

 

https://cppm1.hostname.net/guest/juatest.php?cmd=login&mac=14:ab:c.... url but it keeps reloading it every 2 seconds or so and doesn't show the actual logon page. (We had some kind of working logon page already so it should be working, and I can open it if I copy paste that whole url to another computer's browser)

You don’t need to enable the download role from ClearPass



Thank you

Victor Fabian

Pardon typos sent from Mobile

Ah that's true. I disabled the "Download Role from CPPM" checkbox and I can still return "Aruba-User-Role = guest" from CPPM and the guest roles shows when I check the active clients from the mobility controller

Also figured out that the default role had a policy that redirects http/https to port 8080/8081 always. And those policies afftected the traffic going to CPPM. I added rules to allow user --> CPPM traffic for ports 80/443 and was able to see the Captive Portal page.

 

However after I clicked the login button, it gets redirected to https://guestlogin.domain.net/cgi-bin/ but I get 404 response. If I ping guestlogin.domain.net I get the mobility controller's IP address, so DNS interception should be OK. I have installed guestlogin.domain.net certificate to the mobility controller and selected it as the captive portal certificate. Seems I still have some knob I need to turn on to get this working....

 

If I open https://guestlogin.domain.net/ without the /cgi-bin/ part I get the mobility controllers admin login page

Two hints:

 

1. Check if you need to set the correct IP using the command "ip cp-redirect" on the controller and configure the logon ACLs accordingly, see user guide.

 

2. You may need to configure the official certificate not only to be used as the captive portal certificate but also as the switch(which means controller) certificate. So someting like this in the config:

 

web-server profile
  switch-cert “official-cert"
  captive-portal-cert " official-cert "

Thanks for the tips. I added the cert as a mgmt cert also and rebooted controller. Currently I'm in a situation where after connecting to WLAN I'm redirected to the correct CPPM page. CPPM somewhat correctly then tries to redirect traffic back to controller, but currently it fails for some reason. I'm being redirected to

 

https://guestlogin.domain.net/cgi-bin/login?errmsg=Access%20denied

 

If I try to open just https://guestlogin.domain.net I'm getting controller admin login page, so the DNS interception is OK 

Hi

 

Were you able to solve the issue? I have the same problem I'm trying to change the CP certificate but the URL adds /cgi-bin/login at the end of the FQDN and doesn't resolve to the controller, nonetheless if I use another certificate I had for another client it works.

 

I tested the new certificate on an instant AP and I had no problems, so it's correctly issued.

 

Do you have any recommendations?

 

Thanks

Anybody has any clue on how to solve this? we have tried everything and it doesn't work.

 

I used the same certificate on a lab environment with a controller in 8.5.0.0 and clearpass 6.7 and works fine.

---

@Darthjp1986 wrote:

Hi

 

Were you able to solve the issue? I have the same problem I'm trying to change the CP certificate but the URL adds /cgi-bin/login at the end of the FQDN and doesn't resolve to the controller, nonetheless if I use another certificate I had for another client it works.

 

I tested the new certificate on an instant AP and I had no problems, so it's correctly issued.

 

Do you have any recommendations?

 

Thanks

---

Hi guys,

I have a simmilar problem. The redirect to the clearpass-captive-portal reloads the page every 2 seconds. For testing I'm using the same wildcard-certificate on the Aruba Wireless Controller and the ClearPass. I've configured everything like Herman Robers in his "Aruba ClearPass Workshop" on Youtube...

I'm using a Vitual Mobility Master and a Mobility Controller with ArubaOS 8.4.0.6 and Clearpass 6.8.3. The unauth-WiFi-Guest can use DNS and ping to Clearpass is also possible. However, the website of the Clearpass is available from the Guest-VLAN without the Mobility-Controller.

 

I think pubjohndoe fixes this issue by adding http/https-rules to the guest-role. I also tried this but these rules never appeares within the rules of that guest-logon role.

Also figured out that the default role had a policy that redirects http/https to port 8080/8081 always. And those policies afftected the traffic going to CPPM. I added rules to allow user --> CPPM traffic for ports 80/443 and was able to see the Captive Portal page.

Does someone has an idea how to find the issue in my configuration?

PS: I'm not very familiar with the Aruba Mobility CLI...

What are the contents of the "login page" parameter in your Captive Portal Authentication profile?

 

I'm not really sure, which parameters you mean. (I'm trying to use a self-registration-page from the Guest-portal.)
These ones in the ClearPass Services "Guest MAC Authentication" or "Guest User Authentication with MAC Caching"? The one from the ClearPass Gest Portal -> Edit -> "Login Page"? Or something else?

The  test-guest-client never reaches any page of the Captive-Portal. In the attached picture you can see the behavior of my client after starting the browser and the content of the "empty"-redireting/reloading page.

You find step by step instructions in the "Mobile First Base Designs Lab for ArubaOS 8".

 

Guest instructions start at page 145:

 

https://www.arubanetworks.com/assets/vrd/MobileFirstBaseDesignsLab_ArubaOS8.pdf