Security

Reply
Highlighted
Frequent Contributor II

Re: Clear Pass integrate with Cisco WLC

Ok that's good. Yes that is your mac auth service. You'll need to make a web authentication service to to CWA. Then build the guest self registration out in clearpass guest. Once that is complete your enforcment policy should be built out.

You will need an enforcment policy that includes the URL to your guest registration. And apply the acl for redirection.

This is pretty basic not sure if your SE can assist you better than I can. I
Highlighted
MVP

Re: Clear Pass integrate with Cisco WLC

Hello Kevin

 

Many different solutions here and I'm sure you're just as confused as when you started.

These are two decent ways of implementing Guest access:

 * Controller initiated - this is the most normal usecase and authentication is done by your client doing a http post towards the login.html of the Controller. Works on all Aruba WLC's and All Cisco WLC's except 3850/5760 using IOS XE

 * Server initiated - this involves MAC-authentication and Radius CoA and is quite confusing to implement. The documents listed in previous post in regards of Wired Cisco is all about this, but they are not complete so try the first method before trying this. This method is a requirement for Cisco WLC using IOS XE (3850/5760).

 

Controller initated works more or less right out of the box with ClearPass when using Cisco 2504 WLC on 7.6.x

 * Click Configuration - Start here

 * Select the Guest Access template, go through and fill in the variables. Save..

Make sure this new template is above the old ones you've created.

 

Since you're using self-registration there is no need for a pre-auth (webauth) service, but with a normal web-login you have a Radius or Local pre-auth and need to create a service for this.

 * Click Configuration - Start here

 * Select the Guest Access Web Login template, go through and fill in the variables. Save..

 * Move this template above the other Guest template just to keep things clean.

 

In Guest

  • Under Authentication change the NAS Type to Cisco Systems (RFC3756 support)
  • In the login use 

For the Cisco setup you should just google for "cisco wlc external web auth" and find the multiple guides that exist out there (not CWA as this use CoA and mac-auth). You can follow a guide using Cisco ISE

 

 On the Cisco:

* Create your pre-auth ACL "web_auth" (Security - Access Controll Lists) more or less like this:

  • Permit 0.0.0.0/0 - 192.168.1.210/23
  • Permit 192.168.1.210/23 -> 0.0.0.0/0

 

Define your AAA servers

* Security - RADIUS - Authentication

  • Call Station Type: "System MAC address"
  • MAC Delimiter: "Colon"
  • Add the 192.168.1.210 with shared secret and RFC 3576 enabled

* Security - RADIUS - accounting

  • Add 192.168.1.210 - with MAC delimiter "Colon"

Create your WLAN and edit the SSID to your liking, selec the appropriate interface

Edit the NAS-ID to something - if you want to use that in the CPPM Service later

 

* Security

  • Layer 2 - none
  • Layer 3 - Web Policy (authentication), preauth ACL = "web_auth"
  • Enable "over-ride global congi" - External (= redirect to external server)
  1. URL = Input your clearpass redirect URL here
  • AAA servers, server 1: 192.168.1.210 (Auth and Acc)

Advanced

  • DHCP addr. assignment required

 

Try it out and let us know how it turns out.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!

View solution in original post

Highlighted
Occasional Contributor I

Re: Clear Pass integrate with Cisco WLC

Hi sdr35 and jsolb,

 

It can work already, the problem is I change the IP address from 1.1.1.1 to Cisco WLC IP address, so after it login successful, it not redirect to Internet.

 

Thank you so much for your help ^ ^

Highlighted
Frequent Contributor II

Re: Clear Pass integrate with Cisco WLC

What is your alerts on access tracker?

If you have no access tracker. Make sure you have https enabled on controller or set clearpass to use http (clear text).

You should use 1.1.1.1 (or whatever you have set as virtual ip).
Highlighted
Occasional Contributor I

Re: Clear Pass integrate with Cisco WLC

Hi,

 

I face this issue, after user connect to the SSID, by default it will redirect to the ClearPass captive portal. However, it redirect to the Cisco WLC virtual IP address first (1.1.1.1), after user  click Proceed Any Way on the Chrome browser, then it just can redirect to the ClearPass Captive Portal web page. After login sucessful, it prompt the WLC login sucessful web page for a while then disappear. So how can we configure to redirect to the ClearPass IP first, no more to go to Cisco WLC, and how we can configure the user logout page?

 

Thanks

Highlighted
MVP

Re: Clear Pass integrate with Cisco WLC

Hello Kevin

 

Thought you had this fixed? 

 

So you're saying this is the current flow:

 

1. User connects to Guest-ssid

2. Tries to browse and is redirected to 1.1.1.1 (Cisco) and here gets a certificate error

3. User clicks continue, and is then redirected to CP on ClearPass

4. Logs in on ClearPass Captive Portal, is redirected to the login-page on WLC and stops there.

 

Try to do this using only http first - just to eliminate any https nasties that usually follows in the intial setup process.. I think that is why you see the error message on nr 2. You will need a valid SSL certificate installed on ClearPass that matches the FQDN you are redirected to, or just leave it to http.

 -> Go to Guest / Configuration / Authentication - remove checkbox for "Require HTTPS for guest access"

 

On the WLC you will need to manually input the page you want to be redirected to after successful login. In the 7.x GUI you do this on the same place where you input the External redirect login page:

 Security > Web Auth > Web Login Page

Change the "Redirect URL after login" to the page you want to redirect the users to by default. I don't know a way to let them get to their initial url on Cisco.

 

In this place you also define the logout page.

 

As refernce you could just find a guide that use Cisco ISA and Cisco WLC - and do normal webauth (not CWA/MAB). That should get you to where you need to be. The config on ClearPass seems to be correct on your part.

 

This might give you some more pointers on the WLC side of the configuration:

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

 

 


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Occasional Contributor I

Re: Clear Pass integrate with Cisco WLC

 Hi joslb,

 

I've followed your instruction -> Go to Guest / Configuration / Authentication - remove checkbox for "Require HTTPS for guest access"; however, after I login successful from captive portal, it cannot redirect to any webpage. After change back, it come back as you mention before:

1. User connects to Guest-ssid

2. Tries to browse and is redirected to 1.1.1.1 (Cisco) and here gets a certificate error

3. User clicks continue, and is then redirected to CP on ClearPass

 

 

And, afetr log in on ClearPass Captive Portal, one LOGOUT webpage appear with IP address1.1.1.1, can we change this 1.1.1.1 IP address to hostname or don't make this webpage display?

Highlighted
MVP

Re: Clear Pass integrate with Cisco WLC

It looks like 1.1.1.1 is OK for you to use in this scenario, you will have to change that if you change on the WLC. You can also use hostname/fqdn as long as this is resolvable from the client.

 

Is 192.168.0.56 the IP-adress the WLC will communicate Radius traffic from?

 

What you explain here is usually the case when the Radius authentication doesn't go through. Do you get anything in the Access Tracker? If yes - what do you get?

 

 

 


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Regular Contributor I

Re: Clear Pass integrate with Cisco WLC

If you uncheck require HTTPS, you must also adjust the settings on the WLC. 

 

You have to allow HTTP and set WebAuth SecureWeb to Disabled. See the attached screen shot. Config --> Management --> HTTP-HTTPS

 

wlc_http.PNG

Regards,

Josh
___________
ACMP, ACCP
Occasional Contributor I

Re: Clear Pass integrate with Cisco WLC

For me it was a little bit difficult to set this up. I have written a PDF on this issue, and I hope it will help others, that ran into the issue using Cisco external web authentication alone with Aruba Clearpass.

Bo Nielsen