Security

Or rather, CPPM doesn't recognize the WEBAUTH request from Guest...

I’ve used the Policy Manager “service templates” to make a pre-auth service for the webauth from Guest, and the actual auth requests from Guest don’t match the service profile, so they’re getting denied.

Some advice on getting the Guest requests to match the webauth service (both built-in or wizard generated, so I’d expect them to work)

for the intrepid reader, here's the log of the reuqest:

Request log details for session: W00000006-01-531a3038
Time 	Message
2014-03-07 13:46:48,679 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] ERROR com.avenda.tips.dhcp.snooper.request.MacLookupRequestHandler - No MAC address exists for ip 10.10.6.31
2014-03-07 13:46:48,679 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] INFO com.avenda.tips.webauthservice.reqhandlers.RequestUtils - Failed to get macAddress from dhcpSnooper, reason=No MAC address found
2014-03-07 13:46:48,679 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] WARN com.avenda.tips.webauthservice.NadProvider - Cannot find NAD IP since client MAC is not known
2014-03-07 13:46:49,593 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915527 h=79 r=W00000006-01-531a3038] ERROR Core.ServiceReqHandler - doServiceClassification: Error. Ret code=0 response list size=0
2014-03-07 13:46:49,596 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform webauth, reason=FailedToClassifyRequestToService
2014-03-07 13:46:49,601 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] WARN Common.MacAddrAttrProvider - HostMac missing, not populating different mac representations
2014-03-07 13:46:49,601 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:NAD-IP-Address is not found
2014-03-07 13:46:49,601 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.TagAttrTableUtil - buildTagAttrTableInput: Connection:Client-Mac-Address is not found
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO Common.TagDefinitionCacheTable - No InstanceTagDefCacheMap found for instance id = 0 entity id = 29
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] WARN Common.TagDefinitionCacheTable - Failed to build TagDefinitionMap. Unknown NadClient for Id=0
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.TagAttrHolderBuilder - No tags built for instanceId=0|entity=Device
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.AluTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL AuthLocalUser)
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.GuTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL GuestUser)
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.EndpointTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Endpoint)
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=psauto-1381445979-915528 h=83 r=W00000006-01-531a3038] INFO TAT.OnboardTagAttrHolderBuilder - buildAttrHolder: Tags cannot be built for instanceId=0 (NULL Onboard Device User)
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 h=7582725 c=W00000006-01-531a3038] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_OUTPUT_ERROR Started ***
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 h=7582726 c=W00000006-01-531a3038] ERROR Core.PETaskOutputPolicyRes - computeAndOutputResponse: Failed get service config
2014-03-07 13:46:49,602 	[RequestHandler-1-0x7f68d6ff7700 r=W00000006-01-531a3038 h=7582725 c=W00000006-01-531a3038] INFO Core.PETaskScheduler - *** PE_TASK_SCHEDULE_OUTPUT_ERROR Completed ***
2014-03-07 13:46:49,604 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] ERROR com.avenda.tips.webauthservice.policy.ChainedPolicyClient - Policy evaluation request failed with statusCode=StatusInvalidParam
2014-03-07 13:46:49,604 	[ajp-apr-8009-exec-10] R:W00000006-01-531a3038] ERROR com.avenda.tips.webauthservice.WebAuthHandler - Failed to perform chained policy-evaluation and enfProfiles

OK, one step closer - I found that I had left the ".php" off of the portal URL in the iAP configuration.

Fixing that makes the portal pages load correctly, but now I get a RADIUS accept followed by the same WEBAUTH reject I included above.

Still puzzled.

look at the input tab and see what is not matching your guest service.

The Input tab is disturbingly empty:

I've come to suspect that my issue in in the Web Login settings in Guest, Configuration.

I've set the VendorSettings to CabtivePortal with ClearPass Web Auth.

Should I be using something else?

Can you post some screenshots of the service?

The service summary page:

Is this a pre-registration auth check or a guest self registration?

I believe pre-registration auth check.

I'm trying to recreat the process we follow now on controller-based-portal: Reception and Helpdesk create guest accounts and set start/end dates/times, and users who connect to the SSID get a captive-portal where they type in the pre-assigned credentials.

I’ve tried setting vendor in the Web Login settings (on Guest) to “Captive Portal with ClearPass Web Auth,” “Aruba Networks, and Server-Initiated – Change of authorization (RFS3576) sent to controller,” and “Controller-Initiated – Guest Browser performs HTTP form submit”

The Captive Portal one appears to make a WEBAUTH attempt to CPPM, but fails to identify itself, so CPPM rejects it.

The Server and Controller Initiated ones make a good RADIUS request, then a bad WEBAUTH just like the Captive Portal.

Has anyone got an example where they've done the simple-form captive portal?

In your web login form, try changing Pre-auth check to "none". This will then post the credentials the users enter to the controller. The controller then makes a WebAuth request to ClearPass so you'll need a service like below:

Did anything get figured out with this? I've seen the same behavior recently using the guest service creation wizard and Aruba/CPPM integration guide. 

msabin, I got this sorted out. It was the mac field in the registration page form. 

‘mac’ field in guest self-registration form has to be enabled in scenarios where we use a CoA. A typical example would be when using a captive-portal behind a captive-portal page setup. We can only re-direct client devices to a single captive portal page using a controller. When the captive portal form is customized in a way where the users have to click on a specific option(for example, guest users click here, staff users click here) to get to a different captive portal page. So the users will be prompted to enter the credentials only on the second captive portal page. Since in the second captive portal page the login method cannot be controller initiated, we use server initiated. So in the second captive portal page, when the user enters the credentials since its server initiated, we need a webauth service created in the policy manager and the appropriate enforcement profile will force a CoA which will be sent to controller to change the role accordingly.

After diabling the MAC field, I no longer receive the extra webauth request.