Security

Reply
Highlighted
Occasional Contributor I

Clear Pass integrate with Cisco WLC

Hi,

 

I try to depoloy the ClearPass with Cisco WLC, so that when user connect to the wifi, it will redirect to Clear Pass captive portal for authentication.

   - Clear Pass IP address: 192.168.1.210/23

   - Cisco WLC IP address: 192.168.0.56/23

   - GW: 192.168.0.1/23

 

When connect to the wifi, and try to access google.com. it can redirect to the Clear Pass captive portal; however, after login successful, it does not redirect to google.com, it redirect to Cisco WLC IP address, and cannot browse website. When I try to access google.com again. it also redirect to Clear Pass captive portal again and again as a loop. 

 

The setting for Cisco WLC and Clear Pass as attachment.

 

Thanks a lot for your help.

Kevin


Accepted Solutions
Highlighted
MVP

Re: Clear Pass integrate with Cisco WLC

Hello Kevin

 

Many different solutions here and I'm sure you're just as confused as when you started.

These are two decent ways of implementing Guest access:

 * Controller initiated - this is the most normal usecase and authentication is done by your client doing a http post towards the login.html of the Controller. Works on all Aruba WLC's and All Cisco WLC's except 3850/5760 using IOS XE

 * Server initiated - this involves MAC-authentication and Radius CoA and is quite confusing to implement. The documents listed in previous post in regards of Wired Cisco is all about this, but they are not complete so try the first method before trying this. This method is a requirement for Cisco WLC using IOS XE (3850/5760).

 

Controller initated works more or less right out of the box with ClearPass when using Cisco 2504 WLC on 7.6.x

 * Click Configuration - Start here

 * Select the Guest Access template, go through and fill in the variables. Save..

Make sure this new template is above the old ones you've created.

 

Since you're using self-registration there is no need for a pre-auth (webauth) service, but with a normal web-login you have a Radius or Local pre-auth and need to create a service for this.

 * Click Configuration - Start here

 * Select the Guest Access Web Login template, go through and fill in the variables. Save..

 * Move this template above the other Guest template just to keep things clean.

 

In Guest

  • Under Authentication change the NAS Type to Cisco Systems (RFC3756 support)
  • In the login use 

For the Cisco setup you should just google for "cisco wlc external web auth" and find the multiple guides that exist out there (not CWA as this use CoA and mac-auth). You can follow a guide using Cisco ISE

 

 On the Cisco:

* Create your pre-auth ACL "web_auth" (Security - Access Controll Lists) more or less like this:

  • Permit 0.0.0.0/0 - 192.168.1.210/23
  • Permit 192.168.1.210/23 -> 0.0.0.0/0

 

Define your AAA servers

* Security - RADIUS - Authentication

  • Call Station Type: "System MAC address"
  • MAC Delimiter: "Colon"
  • Add the 192.168.1.210 with shared secret and RFC 3576 enabled

* Security - RADIUS - accounting

  • Add 192.168.1.210 - with MAC delimiter "Colon"

Create your WLAN and edit the SSID to your liking, selec the appropriate interface

Edit the NAS-ID to something - if you want to use that in the CPPM Service later

 

* Security

  • Layer 2 - none
  • Layer 3 - Web Policy (authentication), preauth ACL = "web_auth"
  • Enable "over-ride global congi" - External (= redirect to external server)
  1. URL = Input your clearpass redirect URL here
  • AAA servers, server 1: 192.168.1.210 (Auth and Acc)

Advanced

  • DHCP addr. assignment required

 

Try it out and let us know how it turns out.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!

View solution in original post


All Replies
Highlighted

Re: Clear Pass integrate with Cisco WLC

Hi,

I DropBoxed a folder with importent info for u. (Link at the bottom of this post)

Capturea.PNG

Please download - and read a bit

here is the link: (might contain duplicate docs - but importent and helpful info)

https://www.dropbox.com/sh/ofjoxg394v9f9tg/eTkB1DEVV8

 

Let us know - if u figure where is your mis-configurtion.

 

have a gr8 day.

 

me

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Highlighted
Occasional Contributor I

Re: Clear Pass integrate with Cisco WLC

Hi kdisc98,

 

The document is for Aruba Wireless integrate with ClearPass, but on my scenario, it use Cisco Wireless Controller 2504 instead of Aruba Wireless Contoller. And on this part as attachment, I'm not sure which IP address I need to specify for the correct one, if I put ClearPass IP address, it will redirect to ClearPass welcome page after guest login sucessful, not rediect to google.com as I type on the web page. If I put Cisco WLC IP address, it cannot browse to any web page although guest login sucessful.

 

Regards,

kevin

Highlighted

Re: Clear Pass integrate with Cisco WLC

Please read here: (thoese are CCPM to CIsco docs)

https://www.dropbox.com/s/0vjcivcxmc5xe0f/Cisco%20Switch%20Setup%20with%20CPPM-v1.2.pdf

 

You need to configure more things (not only Guest portal)

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Highlighted

Re: Clear Pass integrate with Cisco WLC

You might useful info,also here:

ftp://ftp.dell.com/Manuals/all-products/esuprt_ser_stor_net/esuprt_powerconnect/powerconnect-w-clearpass-100-software_User%27s%20Guide7_en-us.pdf

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Highlighted

Re: Clear Pass integrate with Cisco WLC

Can u please send your access tracker logs (is there any errors after you trying to login via the captive?)
*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Highlighted
Frequent Contributor II

Re: Clear Pass integrate with Cisco WLC

Your service that you have in your attachments is for mac auth. Do you have the service for web-auth? What version of CPPM do you have?
Highlighted
Occasional Contributor I

Re: Clear Pass integrate with Cisco WLC

Hi kdisc98,

 

The access tracker logs is nothing display.

 

Hi sdr53,

 

Can you tell me what service I need to configure for the cisco wlc authentication as attachment, because before I try the 802.1x Wireless service, but the error still same as I mention above. Now I'm using ClearPass Policy Manager 6.3.0.60730 version.

 

Thanks

Kevin

Highlighted
Frequent Contributor II

Re: Clear Pass integrate with Cisco WLC

Is this for an open authentication network with mac caching?

You can just use the generic radius type. Then use the service rules so they are radius NAD IP address = IP address of controller.

Then if you do mac caching you need a service that will check the MAC address. I think you had that service posted in original post.

Ps you might want to upgrade to 6.2.4. You can then have central web-auth. (Like cisco ISE).
Highlighted
Occasional Contributor I

Re: Clear Pass integrate with Cisco WLC

Hi sdr53,

 

So the configuration as attachment is correct?

 

Now the version for CPPM is 6.3.0.60730, so what you mean need to upgrade to 6.2.4, is it downgrade or upgrade?