Security

Reply
Guru Elite

Re: ClearPass Guest Redirect Loop Issue

Sounds like it, yeah. Maybe a NAT issue?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: ClearPass Guest Redirect Loop Issue

I'm going to have customer look into the firewall config/routing config for the new VLAN. I unfortunately don't have access. I will review with customer and will post any findings/resolutions here.



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
MVP Expert

Re: ClearPass Guest Redirect Loop Issue

Issue appears to be routing on the local network. The path the traffic took, was not the same path it used to come back. We found that we saw the SYN, but no SYN ACK. We were able to configure symmetric routing and traffic started to flow no problem. 

 

We are going to continue to test, but I think the routing has been resolved.

 

Thanks for the help.



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Occasional Contributor I

Re: ClearPass Guest Redirect Loop Issue

Redirect loop normally occurs when you are not using a Microsoft Valid Signed Certificate but an internal certificate but also never use the box template pre-installed as this too can cause a redirect loop

Highlighted
Occasional Contributor II

Re: ClearPass Guest Redirect Loop Issue

does this already resolved?

 

i got same error also.

MVP Expert

Re: ClearPass Guest Redirect Loop Issue

Yes, this issue was resolved at this client's site. The issue was asymmetric routing, the traffic coming into clearpass took a different route out, so we would notice SYN packets, but no SYN ACK packets from the same IP.

 

Do you have the MGMT and DATA ports configured on ClearPass? If both are configured, by default, all traffic will use the Data port to pass all traffic except traffic sourced from the same subnet as the Management port. So if your sending traffic to the Management address from another subnet, it may respond from the Data port. 

 

You can verify the routing table in the ClearPass CLI, I think the command is: network ip list

 



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
MVP Expert

Re: ClearPass Guest Redirect Loop Issue

Another thing to check is your basic configuration on the controller:

 

1. Make sure you have an IP interface for the VLAN trying to get redirected to the captive portal

 

2. Make sure you have an ACL allowing captive portal and clearpass:

logon-control

captive-portal

allow-clearpass (allow clearpass via HTTP/HTTPS)

 

3. Make sure your local network has a route to ClearPass and ClearPass has a symmetric route back. 

 



Michael Haring
If my answer is helpful, a Kudos is always appreciated!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: