Captive Portal on ArubaOS Switch
2 weeks ago
I am testing captive portal on Aruba 2930F running 16.7 for Guest Device Registeration on ClearPass 6.7.9.
The ClearPass server has a valid public HTTPS certifacate.
I enrolled a self-signed-cert on the switch however the URL redirect (https://clearpass.domain/guest) is showing a certificate error on both Chrome and IE with. The errored certificate (from the certificate details on the browser) is the self signed cert on the switch.
Is it worth looking into Downloadable User Role with SwitchOS 16.8+ and automatic Ancher Trust Certificate download or will still a valid certificate be required on the Aruba 2930F switch for the captive portal to load fully without a certificate error?
Re: Captive Portal on ArubaOS Switch
2 weeks ago - last edited a week ago
You should not need a certificate on the switch for captive portal and downloadable user roles seems unrelated to the message that you see.
From the screenshot, it appears that client traffic to ClearPass is intercepted resulting in a redirect loop.
Did you permit the traffic to ClearPass before the redirect rule?
The following is taken from the ClearPass Wired Policy Enforcement guide:
class ipv4 DNS match udp any any eq 53 class ipv4 DHCP match udp any any eq 67 class ipv4 INTERNAL match ip any 100.64.0.0/10 class ipv4 IP-ANY-ANY match ip any any class ipv4 WEB-TRAFFIC match tcp any any eq 80
match tcp any any eq 443class ipv4 CLEARPASS-WEB match tcp any host 100.65.30.42 eq 80
match tcp any host 100.65.30.42 eq 443 policy user CLEARPASS-REDIRECT class ipv4 DNS action permit class ipv4 DHCP action permit class ipv4 CLEARPASS-WEB action permit class ipv4 WEB-TRAFFIC action redirect captive-portal
Do you have that CLEARPASS-WEB class with permit, before you have the WEB-TRAFFIC redirect rule? And does the IP in CLEARPASS-WEB match your ClearPass server?
BTW, as redirecting https traffic will generate certificate warnings (by design of HTTPS), I prefer to only redirect HTTP (port 80) traffic and remove the 443 redirect (
striked-through in the example above).
Also exact naming is not important, contents and order (allow traffic to ClearPass, then redirect all other HTTP traffic) are relevant.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).