Security

Reply
Highlighted
Occasional Contributor I

Captive Portal role not working

Hi there,

 

I'm currently trying to push a captive portal role to a 7005 controller, from ClearPass.

But I always get the following error on the controller:

 

"Reject line ... contains unsupported keyword".

 

The role clearpass generates is the following:

aaa authentication captive-portal CLEARPASS-MACTRAC
    no user-logon
    no logout-popup-window
    login-page https://clearpass.local/guest/quarantined.php?m=112f2ec63371460a9eaaddcccdf6a8
    no enable-welcome-page
!
user-role cppmrole
    vlan 100
    reauthentication-interval 10
    captive-portal CLEARPASS-MACTRAC
!

The controller seems to reject everything related to the captive portal profile, inside the "aaa authentication captive-portal". Other stuff like VLAN and ACL works fine, if I just remove the captive portal from the role. It's just the captive portal part that is not accepted.

Any idea what can be the problem?

 

Thanks

Highlighted
Guru Elite

Re: Captive Portal role not working

Your initial role in the AAA profile of that Virtual AP should be "cppmrole"

 

cppm role also needs the captive portal ACLs for this to work.

 

Are both of those in place?

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted
MVP

Re: Captive Portal role not working

Did you allow http & https traffic from the user (an wirelss client with an IP) to the clearpass ?

 

// Create a Netdestination to clearpass

 

netdestination Clearpass
host <ip address of clearpass>


// Allow traffic to the Clearpass Server in the initial role

 

in the initial role add these ACLs

 

user Clearpass http permit
user Clearpass https permit

 

 

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.


 

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Highlighted
Occasional Contributor I

Re: Captive Portal role not working

It's not that.

The mobile controller doesn't accept the role syntax that Clearpass generates.

Everything related to the captive portal profile in the role, generated by Clearpass, is being rejected.

Highlighted
Occasional Contributor I

Re: Captive Portal role not working

Everything is in place, yet the 7005 log shows the following:

 

Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Idefault-guest-role cppmrole', contains unsupported keyword
Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Idefault-role cppmrole', contains unsupported keyword
Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Ilogin-page  https://clearpass.local/guest/quarantined.php?m=112f2ec63371460a9eaaddcccdf6a8', contains unsupported keyword
Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Ino enable-welcome-page', contains unsupported keyword
Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Ino logout-popup-window', contains unsupported keyword
Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Ino user-logon', contains unsupported keyword
Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line '^Iwhite-list clearpass.local', contains unsupported keyword
Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1926: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Rejected line 'aaa authentication captive-portal CLEARPASS-MACTRAC', contains unsupported keyword
Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm.c, auth_cppm_transform_writebuf:1954: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: processing stopped due to whitelist violation
Oct  7 00:01:49  authmgr[3359]: <199802> <3359> <ERRS> |authmgr|  auth_cppm_fsm.c, ac_afsm_exec_transform:433: Dldb Role ROLE_AOS_MC_DUR_CAPTIVE-3056-37: Transform failed
Dldb Role: ROLE_AOS_MC_DUR_CAPTIVE-3056-37 Cannot be assigned downloadable role, role is in error state

The role Clearpass generates for the 7005 is the following:

netdestination clearpass.local
    host	192.168.8.1
!
aaa authentication captive-portal CLEARPASS-MACTRAC
    default-role cppmrole
    default-guest-role cppmrole
    no user-logon
    no logout-popup-window
    login-page https://clearpass.local/guest/quarantined.php?m=112f2ec63371460a9eaaddcccdf6a8
    no enable-welcome-page
    white-list clearpass.local
!
user-role cppmrole
    vlan 2010
    reauthentication-interval 10
    captive-portal CLEARPASS-MACTRAC
!

 

Highlighted
MVP

Re: Captive Portal role not working

This may be due to special characters in the name of the role sent.

The authmgr sees a special character '^' with the role being sent.

Is this the only role where this problem is observed?

Ajay Kumar Ravipati
ACMA (V8) | ACMP (V8) | CCENT | CCNA (R&S) | PAN-OS 8.0 ACE
Highlighted
Occasional Contributor I

Re: Captive Portal role not working

Unfortunatelly that is not the problem.

I already create the enforcement profile manually, without any special characters (without any of those ^|, tabs, and slashes), and the 7005 still does not accept the downloadable role.

 

If I remove everything related to "aaa authentication captive-portal" and use a local captive portal profile, the role works.

Highlighted
New Contributor

Re: Captive Portal role not working

I work for Aruba ClearPass team, and we tested this out locally as well. We hit the same issue and confirmed with the AOS Controller team. the Captive Portal setting within a DUR for Controller is not supported. that's the reason we have the errors as reported and also seen in our local setup.

Basically, we cannot push Captive Portal profile settings via DUR.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: