Security

I have everything set up and working fine except CP through CPPM.  We can do the self registration portion and use internal users but I cannot get CPPM to use AD.  AD works fine for .1x through CPPM so it is a configuration of the captive portal service.

Goal: users in AD can use AD to auth to an SSID which uses CPPM as the host of the CP.

(cannot use controller for other reasons at this time).

As soon as I press enter on the CP page (using my AD information), it returns bad username/password.  I do not see any thing logged on the CPPM either so I can't figure out where the problem is located.

It all seems so simple but something is just not quite right.  I have AD added in all the places I think it should be... but no joy.

Any ideas?

On the Aruba Controller, your Captive Portal profile needs to have a server group that has CPPM in it.

It has the CPPM server as the only server.  Is there something that needs to point the CPPM toward that Captive Portal Profile?

The issue with the controllers, at this time, is the local CP has ip cp-redirect pointing to a controller (3600) for tunnel termination. It is an old design we will eventually fix but all 13 controllers point to this 3600 for guest access (not many guest).

Since the current CPPM CP works with this in place, I do not think the ip cp-redirect is causing an issue.

**EDIT**

Found the 'pointer'.  In the initial role, we are pointing them to the correct Captive Portal profile.

If it says bad username or password, something is rejecting it.  You are probably not configuring the correct captive portal authentication profile.  If you see a rejection and only cppm is in the server group, the rejection must come from cppm, period..

**embarrassed**

In my switch over from testing, I did not change the VAP we were using for the testing.  Unfortunately it now says web authentication is disabled.  I'll start working on that issue before I can get to authentication on the CPPM.

*guessing this might be related to the ip cp-redirect*

I understand your embarrassment, I do that a lot also.

On the other hand, thanks for the topic, your discussion with Colin reminded me to check my own test turned production... I also am still using the test VAP. Or was until a moment ago.

I have it corrected (web auth online) but it is back to 'invalid username or password' for all attempts with no log in the access tracker.

What auth sources do you have in the service? Can you show a screen shot of the service?

For both authentication and authorization, I have our AD as the target.

It sounds suspiciously like it is trying to auth against the controller InternalDB.  Where did you put the server-group that has Clearpass in it?

It needs to be in the captive-portal profile configuration.  If you are using the mach-caching with Clearpass, you need to put it as the 'mac-auth server-group' within the aaa-profile as well.

I agree on all points made: it is not trying to talk with AD/Radius.  But why?

Here's what I have from a flow chart perspective thus far:

Initial role = CPG-login ; this gives the Captive Portal Profile = ClearPass_CP

ClearPass_CP --> login page = http://x.x.x.x/guest/guest_register_login.php as well as Server Group = ClearPass (with CPPM server in it)

Since ClearPass server/server group works with .1x, I do not believe that is the issue.

Does the Policy Simulation work in CPPM?  I'm trying to make sure it hits my Service but I cannot get it to answer anything other than no policy matches.

Service Rule (default for guest with MAC)

IETF - Calling-station-Id - exists

Connection - Client-MAC-Address  <> %{Radius:IETF:User-Name}

Aruba - Aruba-ESSID-Name = OURssid

Found the issue.  It is hidden way down deep.  Took multiple Aruba engineers + others to finally find it.

You have to turn off Pre-Auth in the guest management "NAS login".  Since AD is an external source, you don't do the pre-auth.

Double checking all of the controller config now. Would

http://x.x.x.x/guest/guest_register_login.php

still be the correct web url for the login page?