Security

Hey all,

 

I'm banging my head against something I think should be super simple.  In my "home" environment I'm running 8.2.x code and in my Clearpass guest login I point the login page to captiveportal-login.<schooldomain>.edu and my understanding is whatever controller I'm connected to intercepts that as traffic intended for it, this completing the login process.

 

I'm currently helping out at another environment running 6.5.4.9 and when I try to do the same thing I get a "site can't be reached" error.  It seems the previous admins had used aruba-master.<schooldomain>.edu but I'm getting certificate errors. I may be barking up the wrong tree to fix that (it seems we need a new cert anyway) but they also have more than one controller so I'm thinking this is not what they want anyway, right?

 

Why would captiveportal-login not be intercepted?  Was that different prior to 8.x?  Any help is greatly appreciated!

How the captive portal redirect and log happens did not really change between ArubaOS 6.5 and 8.x. Two things that you can check:

- Recently read that the migration tool, if used to upgrade from 6.5 to 8.x, might miss some of the ACLs needed for captive portal.

- In another case, someone tried to run the captive portal with self-signed/private CA certificates. As you mention that you probably need other certifcates, I would recommend doing that first and not put any effort in troubleshooting captive portal issues before you have proper public signed/trusted certificates installed on your controllers/Instant and if applicable on ClearPass for the captive portal. In that other case, after we installed public certificates it worked at once.

Thanks Herman, but I'm still stuck.  I got a good 3rd party cert loaded and have now completely avoided the insecure warnings from user's browsers. 
However, if I point Clearpass back to captiveportal-login.<domain> it does not work (site cannot be found).  This environment is still on 6.5.x, not 8.x, so it wouldn't be a migration tool issue.  I'm just trying to understand if captiveportal-login.x was added in 8.x or if this was where external captive portals were supposed to POST to before as well.  Right now we can only get it to work by using aruba-master.<domain>.  Maybe we just need to open a TAC case?

1st of all make sure your ACLs are fine and make sure captive portal policy is the last policy in inital role policies ,2nd thing check DNS for the name that you are using ,and also if there is any firewall between src network and dst CPPM IP and if you can tell us some more details would be better

The captiveportal-login is in 6.5 as well. You can check the name, ust to be sure with the command: "show datapath fqdn" for a controller based network, or "show captive-portal-domains" for Aruba Instant.

captiveportal-login.<domain>.com is used only for wild card certs. Do you have a wild card cert on the controller?

 

If you are using a normal named cert, you shoud use the CN of the cert to post the credentials.

 

Since its working with aruba-master.<domain> it seems like the CN of the cert on controller is aruba-master.domain