CPPM captive portal w/ AOS8
07-29-2019 01:02 PM - edited 07-29-2019 02:52 PM
I'm having issues setting up an external captive portal with AOS8. I want to set up a captive portal with MAC Caching. I am running CPPM 6.8.0, and AOS 18.104.22.168. I have two clearpass servers, virtual set up in a cluster with standby publisher configured. There are two VIPs, one with the publisher as primary, and one with subscriber as primary.
CPPM-01 (cppm-01.mydomain.com): 192.168.10.101
CPPM-02 (cppm-02.mydomain.com): 192.168.10.102
I have a multi-SAN certificate which is signed by a trusted CA. The two clearpass servers are included in the alternative subject names in the cert. The CN is also in that portion of the cert as specified by aruba docs.
SAN: DNS:wifi.mydomain.com, DNS:cppm-01.mydomain.com, DNS:cppm-02.mydomain.com
I also installed this certificate (pkcs12) inside the /md/folder as a ServerCert.
I did the clearpass services with the service wizard. I also used the WLAN guest wizard on the controller (just to test)
Server groups (Possibly the issue?)
- Initial Role: guest-test-logon
- MAC Authentication Default Role: guest
- 802.1x Authentication Default Role: guest
- MAC Autentication Server Group set to group created by wizard
- MAC Authentication to my MAC auth profile
Captive Portal User Role: guest-test-logon
- This role has an ACL that allows http/https access to all clearpass IPs (101, 102, 103, 104)
- This role has the captive portal associated with it
Authenticated Role: guest-test-authenticated
- This role has the allow all session policy in it.
L3 Captive Portal Profile
- Login Page: wifi.mydomain.com/guest/guest_register.php (wifi.mydomain.com resolves to CPPM-VIP-SUB not the mgmt IP of CPPM, it is a VIP)
- Default role is set to guest
The captive portal is launching (however CNA does give me a page couldn't be loaded error, not concerned about that right now). However, the account gets created but when I hit login, I do NOT see a RADIUS request back in the access tracker and the page gets redirected to wifi.mydomain.com
In the NAS vendor settings in guest, I have it set to controller-initiated and the IP address is set to wifi.mydomain.com. Doesn't even matter if I put a redirect URL in the captive portal, it doesn't get redirected. wifi.mydomain.com is the CN for the cert, so that's what I should have in the IP address section of NAS vendor settings. But why am I getting nothing in the access tracker for RADIUS?
And the answer if anyone else runs into this is that I made two mistakes. I had my NAS hostname in DNS and I had not selected that server certificate as what to use for captive portal in the controller. Show datapath fqdn showed the default. Once I changed that it started working.
The only remaining question I have is if I can point the captive portal to the VIP so if the primary node goes down, the portal doesn't.
Re: CPPM captive portal w/ AOS8
07-30-2019 04:01 PM
You can point captive portal to the VIP for redundancy. If you have guest self registration, then i would recommend enabling standby-publisher as well so that new registrations would continue working in the event of a publisher failure.