Security

Dear Experts, 

 

I am trying to configure 7005 (running 8.3) with CPPM Guest (6.7). I have uploaded cert (wildcard) of my company and able to access the web gui of the controller easily. My web-server profile is as per attached. I have configured the roles and everything and when i connect my user device to a-guest (SSID) i am able to get the IP, ping DNS server, able to resolve bbc.com (for example) IP also without any issue but when i open the browser, it doesnt redirect me to my cppm portal page. Can someone advise what i might be doing wrong, and also what do i need to enter on the cppm self registration side, can i enter mc1.mycompany.com.pk? (mycompany.com.pk will be replaced with my actual domain)

 

 

 

 

 

 

Can you share the ACLs under the captive portal role ?

Sent from Mail for Windows 10

Dear Victor, Please find below 

 

Role name: a-guest-guest-logon

user-role a-guest-guest-logon
captive-portal "a-guest"
access-list session global-sacl
access-list session apprf-a-guest-guest-logon-sacl
access-list session http-traffic
access-list session logon-control

ip access-list session http-traffic
any host 192.168.30.201 svc-http permit
any host 192.168.30.201 svc-https permit
any host 192.168.30.100 svc-http permit
any host 192.168.30.100 svc-https permit
user host 192.178.30.100 svc-http permit
user host 192.168.30.201 svc-http permit
user host 192.168.30.201 svc-https permit
user host 192.168.30.100 svc-https permit
user host 192.168.30.100 svc-http permit

 

ip access-list session logon-control
user any udp 68 deny
any any svc-icmp permit
any any svc-dns permit
any any svc-dhcp permit
any any svc-natt permit
any network 169.254.0.0 255.255.0.0 any deny
any network 240.0.0.0 240.0.0.0 any deny

 

When i connect my mobile, i am getting the correct role (a-guest-guest-logon) and i am able to resolve any public domain as well which means dns queries are just fine. When i try to browse anything, it doesnt redirects me to captive portal, if i type the address of CPPM or Captive-portal-login.<my-domain> it doesnt open the page either. 

 

Any idea what i might be doing wrong?

Dear, 

 

I have simplified the access-list using http-traffic only. Below is the excerpt now, i am able to manually open the cppm page successfully but when i connect my mobile, it shows no internet and doesnt automatically pops the CP. Also when i try to manually enter any public website on webpage, it doesnt reload neither it redirects. I was testing on 8.3, now i upgraded to 8.5 but still the same issue

 

I am attaching the configuration, if anyone can help out what i might be doing wrong

 

 

You need the captiveportal acl which forces the client to get redirected to the captive portal page :
Note: Replace the under the netdestination for the ClearPass real IPs

netdestination clearpass-server
host
host
!
aaa authentication captive-portal "a-guest"
white-list "clearpass-server"
!
a-guest-guest-logon
access-list session captiveportal
access-list session logon-control
!

Try replacing the
Sent from Mail for Windows 10

Dear Victor, 

 

I made the changes and got it to work but now i am stuck at login. When i register the user and press login, its giving below error. Can you please help to resolve this issue 

 

https://captiveportal-login.<mydomain>/cgi-bin/

 

This captiveportal-login.mydomain page can’t be found

No webpage was found for the web address: https://captiveportal-login.mydomain/cgi-bin/

Did you replace the default controller certificate ? and if so make sure it is applied under the Captive Portal Certificate (Configuration > System > More > General)

Sent from Mail for Windows 10

Yes i changed the default certificate with a wildcard. I have also applied it under the location you have mentioned. Below is the output of webserver profile

 

Web Server Configuration
------------------------
Parameter Value
--------- -----
Cipher Suite Strength high
SSL/TLS Protocol Config tlsv1 tlsv1.1 tlsv1.2
Switch Certificate MC1
Captive Portal Certificate MC1
IDP Certificate MC1
Management user's WebUI access method username/password
User absolute session timeout <30-3600> (seconds) 0
User session timeout <30-3600> (seconds) 900
Maximum supported concurrent clients <25-320> 75
Enable WebUI access on HTTPS port (443) false
Enable bypass captive portal landing page false
Exclude Security Headers from HTTP Response false
VIA client-cert port number 8085

 

Its not able to find the particular url. 

Dear Experts,

 

Any hint on what i might be missing, i had it all working (except the wildcard cert) back in 6.5 code. I am not sure what i am missing here, trying for hours to get it to work :(

 

I have enabled switch certificate + server certificate (both are same wildcard cert). But when i press the log in button on CP page, i get redirected to captiveportal-login.mydomain with blank page. No activity can be seen on access tracker or event viewer. 

 

Any ideas please?