Security

Reply
Highlighted
Contributor II

CPPM captive portal w/ AOS8

Edit: I solved the issue, answer at bottom with one additional question.

Hi,
 
I'm having issues setting up an external captive portal with AOS8. I want to set up a captive portal with MAC Caching. I am running CPPM 6.8.0, and AOS 8.5.0.1. I have two clearpass servers, virtual set up in a cluster with standby publisher configured. There are two VIPs, one with the publisher as primary, and one with subscriber as primary.
 
CPPM-01 (cppm-01.mydomain.com): 192.168.10.101
CPPM-02 (cppm-02.mydomain.com): 192.168.10.102
CPPM-VIP-PUB: 192.168.10.103
CPPM-VIP-SUB: 192.168.10.104
 
I have a multi-SAN certificate which is signed by a trusted CA. The two clearpass servers are included in the alternative subject names in the cert. The CN is also in that portion of the cert as specified by aruba docs.
 
CN: wifi.mydomain.com
SAN: DNS:wifi.mydomain.com, DNS:cppm-01.mydomain.com, DNS:cppm-02.mydomain.com
 
I also installed this certificate (pkcs12) inside the /md/folder as a ServerCert.
 
I did the clearpass services with the service wizard. I also used the WLAN guest wizard on the controller (just to test)
 
Server groups (Possibly the issue?)
- CPPM-VIP-SUB
- CPPM-VIP-PUB
 
AAA Profile:
- Initial Role: guest-test-logon
- MAC Authentication Default Role: guest
- 802.1x Authentication Default Role: guest
 
- MAC Autentication Server Group set to group created by wizard
- MAC Authentication to my MAC auth profile
 
Captive Portal User Role: guest-test-logon
- This role has an ACL that allows http/https access to all clearpass IPs (101, 102, 103, 104)
- This role has the captive portal associated with it
 
Authenticated Role: guest-test-authenticated
- This role has the allow all session policy in it.
 
L3 Captive Portal Profile
- Login Page: wifi.mydomain.com/guest/guest_register.php (wifi.mydomain.com resolves to CPPM-VIP-SUB not the mgmt IP of CPPM, it is a VIP)
- Default role is set to guest
 
---------------------------------------
 
The captive portal is launching (however CNA does give me a page couldn't be loaded error, not concerned about that right now). However, the account gets created but when I hit login, I do NOT see a RADIUS request back in the access tracker and the page gets redirected to wifi.mydomain.com
 
In the NAS vendor settings in guest, I have it set to controller-initiated and the IP address is set to wifi.mydomain.com. Doesn't even matter if I put a redirect URL in the captive portal, it doesn't get redirected. wifi.mydomain.com is the CN for the cert, so that's what I should have in the IP address section of NAS vendor settings. But why am I getting nothing in the access tracker for RADIUS?

Edit-------

And the answer if anyone else runs into this is that I made two mistakes. I had my NAS hostname in DNS and I had not selected that server certificate as what to use for captive portal in the controller. Show datapath fqdn showed the default. Once I changed that it started working.

The only remaining question I have is if I can point the captive portal to the VIP so if the primary node goes down, the portal doesn't.
Occasional Contributor II

Re: CPPM captive portal w/ AOS8

You can point captive portal to the VIP for redundancy. If you have guest self registration, then i would recommend enabling standby-publisher as well so that new registrations would continue working in the event of a publisher failure.

Contributor II

Re: CPPM captive portal w/ AOS8

Yeah that's what I did, I just needed to add that VIP hostname to the SAN in the cert and it worked fine. I also have standby publisher enabled, so thank you for that suggestion.

 

Thanks.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: