Security

last person joined: 18 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher

This thread has been viewed 0 times

  • 1.  CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher

    Posted Dec 17, 2015 03:22 PM

    So currently, we have 3 CPPM servers in a cluster, with two of them in one physical location in a HA VIP configuration. We want to break this HA and send one of those servers to another location and reform the cluster as 3 geo-redundant CPPMs in a single cluster. 
    We are only using the CPPM for our Guest Self-Registration Portal currently.

    First thing I needed to do was to point our Aruba Master controller Server Groups and Captive Portal from what its set to now ( uschttcpgp00 ) which is the VIP, to the physical Publisher server ( uschttcpgp01 ) Data IP. On the Aruba Master controller, I sent to the Radius Servers and chose the one we use for Guest and changed the IP to the IP of the CPGP01 server instead of CPGP00. Then I went to the L3 Authentication Captive Portal page and simply changed the Login page to point to CPGP01 instead of CPGP00. 
    When I did this and tested, users were never getting sent to the Guest Self-Registration page, instead it would just constantly refresh and nothing would ever happen. In the Access Tracker, I would see the MAC address and it would say Rejected. I have attached the Access Tracker request with the error, but I cannot understand what is going on here. 
    I have verfied the CPGP01 is a member of the domain and has valid Radius and HTTPS certificates (i saw these in a few earlier posts so I checked first before posting). 
    When I try to go to the Login Page when I am connected to the company network, it takes me there properly, so it only seems to have an effect on someone who is trying to join our Guest Network. 
    But again, if I put it back to the CPGP00 Virtual IP, everything works again. 



  • 2.  RE: CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher
    Best Answer

    Posted Dec 17, 2015 03:28 PM
    Did you update any ACLs that might just allow HTTP/HTTPS to the Publisher IP address?

    Or are you just whitelisting the VIP ?


  • 3.  RE: CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher

    Posted Dec 17, 2015 05:17 PM

    Where do i do this at? I just spoke with someone who mentioned the same thing but had to drop off the call before he could tell me more details. 



  • 4.  RE: CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher
    Best Answer

    Posted Dec 17, 2015 05:27 PM
    >From GUI you can check into places:



    1- You can find this in under the Security > User Roles >" YOUR CAPTIVE PORTAL ROLE"



    Then check the ACLs under that and see if there's a rule allowing HTTP/HTTPS to the ClearPass server(s) , if is using an alias then you need to update the Advanced Services > Stateful Firewall > Destinations > "ALIAS NAME"



    2- Security > Authentication > L3 Authentication > Captive Portal Authentication Profile



    See if in the Guest Captive Portal profile there any whitelist with the ClearPass IP/Names , if it is there then you need to update the Advanced Services > Stateful Firewall > Destinations > "ALIAS NAME"


  • 5.  RE: CPPM Guest Self-Registration Not Working After Switching From VIP to Publisher

    Posted Dec 17, 2015 05:40 PM

    Yes, thank you. This was what was missing. I only had the VIP as a Destination in the firewall. I added the physical IP of the Publisher and now it works. Thank you very much!