Security

Reply
New Contributor

Captive Portal on ArubaOS Switch

Hi,

 

I am testing captive portal on Aruba 2930F running 16.7 for Guest Device Registeration on ClearPass 6.7.9. 

 

The ClearPass server has a valid public HTTPS certifacate.  

 

I enrolled a self-signed-cert on the switch however the URL redirect (https://clearpass.domain/guest) is showing a certificate error on both Chrome and IE with. The errored certificate (from the certificate details on the browser) is the self signed cert on the switch.

 

Is it worth looking into Downloadable User Role with SwitchOS 16.8+ and automatic Ancher Trust Certificate download or will still a valid certificate be required on the Aruba 2930F switch for the captive portal to load fully without a certificate error?

snapshot.jpgCaptive Portal Cert Error

AS

Highlighted
MVP Guru

Re: Captive Portal on ArubaOS Switch

You should not need a certificate on the switch for captive portal and downloadable user roles seems unrelated to the message that you see.

 

From the screenshot, it appears that client traffic to ClearPass is intercepted resulting in a redirect loop.

 

Did you permit the traffic to ClearPass before the redirect rule?

 

The following is taken from the ClearPass Wired Policy Enforcement guide:

class ipv4 DNS
  match udp any any eq 53
   
class ipv4 DHCP
  match udp any any eq 67
   
class ipv4 INTERNAL
  match ip any 100.64.0.0/10
   
class ipv4 IP-ANY-ANY
  match ip any any
   
class ipv4 WEB-TRAFFIC
  match tcp any any eq 80
  match tcp any any eq 443
  
class ipv4 CLEARPASS-WEB
  match tcp any host 100.65.30.42 eq 80
match tcp any host 100.65.30.42 eq 443 policy user CLEARPASS-REDIRECT class ipv4 DNS action permit class ipv4 DHCP action permit class ipv4 CLEARPASS-WEB action permit class ipv4 WEB-TRAFFIC action redirect captive-portal

Do you have that CLEARPASS-WEB class with permit, before you have the WEB-TRAFFIC redirect rule? And does the IP in CLEARPASS-WEB match your ClearPass server?

 

BTW, as redirecting https traffic will generate certificate warnings (by design of HTTPS), I prefer to only redirect HTTP (port 80) traffic and remove the 443 redirect (striked-through in the example above).

 

Also exact naming is not important, contents and order (allow traffic to ClearPass, then redirect all other HTTP traffic) are relevant.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: