Security

How do I send a successful authentiction (specfically a vsa) from the new version of cppm (guest)?

 

I am finding the integration between the two products confusing, due to my lack of familairity

 

I have used a template and I have got the captive portal set up and get the splash page and authenticate, but in accesstracker I see no output from the authentiction attempt, except an enforcement profile (which is positive), also a little concerned the controller's nas id is not in the packet, so if it sends back a vsa I guess the role change may not go into effect.

 

has anyone come across similair situation?

 

thanks

Basically I am bit getting the role change on the controller after successful webauth on the captive portal

Nik,

 

Are you using a username and password that is already defined?  The controller has a Default Role in the L3> Captive Portal Authentication Profile that users will get if no VSA is sent back.  Are you saying that you are not happy with that role and you want to change it, or do you want to send back a different role for a different class of users?  A simple positive authentication will have users placed into the role in the Captive Portal Authentication Profile..  Do you want to define a different role to be sent back via VSA?

 

 

That would be perfect. But where do I define the nas? In the old amigo pod you defined these manually. There are no options like this anymore. I also have multiple controllers that may need this authentication accept message.

You define the NAS in ClearPass under Configuration> Network > Devices.  As long as you have it defined there, you do not have to specify the NAS in the service...  ClearPass will process an incoming authentication request from any device in the Network Devices list.

Great OK I will check my config work there and I guess if I need a specific vsa I can just customise the enforcement profile?

Yes. You just add add an Aruba-User-Role vsa to your enforcement profile.

Great stuff thanks again for your help

Right, what is happening is I am not getting any entries on the access tracker.

 

When I put a proper password in the captive portal on my windows machine it hangs and goes to a http 404 and on my linux test machine i get a access denied in the redirected url

 

any ideas?

I get precisely the same error if I login successfully to the login page during the page testing

 

I reckon it looks like the controller is not passing it's IP address to the weblogin

 

If you are not getting entries in access tracker check the event viewer to see if there are any errors or issues in there. 

Thanks - checked there and no thing apparently relevant

 

I'll open a case and work with TAC then post up what happened - anyone got any ideas before that -  please feel free to share :)

Thanks a million to cjoseph

I will post up a diagram and explanation soon

Hi NIk... Am facing the same issue... can you see the Alerts in Access Tracker? Tell me if anything needs to be enabled in clearpass?

Make sure the "add switch ip" tick box is checked so any CoA is sent to the right controller and that you have you rfc3576 servers defined under the right authentication profiles.... with correct keys!!!!!

Oh yep this was a controller problem... nothing to do with cppm just my config work on the controllers

Am using iap and trapeze controller... I already enabled rfc in iap but still it's not showing any alerts in clearpass and am not sure how to enable rfc in trapeze controller....

Ok so what's your deployment scenario? Captive portal?

How many controllers have you got... I have not even heard of trapeze sorry but guessing it works on radius if you want to bounce some ideas around? Did you get anything in the cppm event viewer btw?

Trapeze now known as juniper wireless.. of course dot1x will work with trapeze.. I have both captive portal and dot1x in my scenario... Nothing in event viewer as well....