Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

This thread has been viewed 0 times

  • 1.  CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

    Posted Sep 13, 2016 08:08 PM

    Hi,

     

    I have a CPPM and Cisco WLC controller.

    The idea is to use Cisco as wireless infraestructure and CPPM as RADIUS Auth. and Accou. Server for Guest and 802.1x with AD Users.

     

    All the config for 802.1x with AD works just fine also with Local User DB on CPPM between Cisco WLC and CPPM. However when trying to use Guest Access with Captive Portal and Local Guest Users DB con CPPM is not working, Monitoring > Access Tracker or Accouting did not show any log input for this service.

     

    When a guest user connect to the Guest SSID, user is redirected to the CPPM Captive Portal asking for username and password, when trying a valid CPPM guest user storage on local db, it shows a message telling me that the username or password are incorrect. Using a Policy Simulation with same Server Rules an Auten Method. Guest User works and show a log input on access tracker.

     

    Does someone have any idea why CPPM do not process WLC Radius reques only for the Guest SSID?



  • 2.  RE: CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

    Posted Sep 13, 2016 09:25 PM
    Are you using captive portal redirect on Mac failure ?

    For vendor settings do you have Cisco in the guest page ?

    Do you see any errors in the event viewer ?


  • 3.  RE: CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

    Posted Sep 13, 2016 09:47 PM

    Hi Victor Fabian,

     

    Here are my answers:

     

    Are you using captive portal redirect on Mac failure ?

     R: No, I'm not. WLC uses L2 Sec Open and L3 Sec web-policy>authentication

    For vendor settings do you have Cisco in the guest page ?

     R: Yes, my guest test page is configured as Verdors Settins: Cisco and using the virtual IP address for WLC. Also the Pre-Authen-ACL has ACEs for DNS, ICMP, tcp/CPPM and tcp/WLC virtual ip address for redireccion.

    Do you see any errors in the event viewer ?

     R: Yes, it shows me the following>

     

    SourceRADIUS
    LevelERROR
    CategoryAuthentication
    ActionUnknown
    TimestampSep 13, 2016 20:09:27 CDT
    Description
    RADIUS authentication attempt from unknown NAD 10.100.1.2:32774
    10.100.1.2 is not the NAD it is: 10.10.10.2 as configured on Devices.


  • 4.  RE: CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working

    Posted Sep 14, 2016 12:34 AM
    Hi Víctor,

    The workaroud I made was add a new device using the virtual interface IP Address configured for guest users on WLC and the same RADIUS Shared Secret.

    Now it is working well.


  • 5.  RE: CPPM v 6.6.0 Integration with Cisco WLC v 8.0.133.0 Authe Guest Access not working
    Best Answer

    Posted Sep 14, 2016 01:24 AM

    This is why WLC was sending packets sourced from dynamic interfaces maped to an SSID.

     

    Cisco Quote: 

    Information About Per-WLAN RADIUS Source Support

     

    The controller sources RADIUS traffic from the IP address of its management interface unless the configured RADIUS server exists on a VLAN accessible via one of the controller Dynamic interfaces. If a RADIUS server is reachable via acontroller Dynamic interface, RADIUS requests to this specific RADIUS server will be sourced from the controller via the corresponding Dynamic interface.

    By default, RADIUS packets sourced from the controller will set the NAS-IP-Address attribute to that of the management interface's IP Address, regardless of the packet's source IP Address (Management or Dynamic, depending on topology).

    When you enable per-WLAN RADIUS source support (Radius Server Overwrite interface) the NAS-IP-Address attribute is overwritten by the controller to reflect the sourced interface. Also, RADIUS attributes are modified accordingly to match the identity. This feature virtualizes the controller on the per-WLAN RADIUS traffic, where each WLAN can have a separate layer 3 identity. This feature is useful in deployments that integrate with ACS Network Access Restrictions and Network Access Profiles.

    To filter WLANs, use the callStationID that is set by RFC 3580 to be in the APMAC:SSID format. You can also extend the filtering on the authentication server to be on a per-WLAN source interface by using the NAS-IP-Address attribute.

    You can combine per-WLAN RADIUS source support with the normal RADIUS traffic source and some WLANs that use the management interface and others using the per-WLAN dynamic interface as the address source.

    ==========================

     

    Since my dynamic interfaces IP addresses on WLC can reach CPPM RADIUS Server, that was the reason RADIUS packets were source this way. And needed to configure new device with dynamic  IP address on CPPM

     

    Thank you very much Victor for your 'Event Viewer' hint did not cross my mind until you mentioned I am very grateful, regards.