Security

Hi!

I'm having serveral Instant Clusters in branches with the same SSIDs and a Central ClearPass Installation. I am in the process of designing a ClearPass Guest Selfregistration Solution.

 

I have just studied the excellent ClearPass Workshop Training Video Series from Herman Robers about ClearPass Setup, but this Series is based on Controller-Initiated Login Configurations.

 

Questions:

What are the benefits when I decide to use the Server-initiated (CoA) Login Method with Instand Clusters instead?

Do I still need Captive Portal Certificates on my Instant clusters in this case?

What is the best practise?

Can I configure just one Guest Service for all Instant Clusters?

Is there a configuration example around here with the Server-initiated Login Method with CoA and Instant Clusters?

 

Many thanks in advance for your ideas!

 

Manfred M.

You should use controller-initiated logins with Aruba wireless infrastructure. Moving to server-initiated workflows does not remove the requirement for a certificate on the VC or controller.

Server-initiated workflows should only be used for wired use cases or other workflows that require it.

Thank you for the fast reply - this is also my opinion, and in addition I'm familiar with the controller-initiated solution.

It's always good to get a second opinion from an expert...

I will go further with the controller-initiated login method in this case.

 

Is there anything I have to take care when designing a single Guest Service for several Instant Clusters?

Assuming all of the policy is the same, no issues using one service.

Hello Tim

 

Bringing up an older post, but my short question to your statement is why? Why do you recommend doing controller-initiated login for Aruba Wireless? Is there a potential security breach in doing CoA to change the role?

 

I've been using server-initiated login for years with great sucess because it is more flexible, seems to scale better and less prone to Certificate error messages during all the redirects. What am I missing? Other than not being able to use the Clearpass Guest with mac-caching Wizard.. ;)

 

 

I having the same though. As server-initiated login method provide better user experience as its "less prone to Certificate error messages during all the redirects" which I often faced when using controller-initiated login method.

The issue with server initiated is you end up with a lot of webauth rejects during that process. RADIUS is much cleaned but I agree with the cert issues. I have my certs set up correctly and I'm still ending up with certificate errors on android devies when using entrust publicly signed certificates signed by L1K and G2 root. 

There is no webauth rejects - why would you get that unless they type the wrong password??

We trigger the login with javascript so we get rejects until the pub can create the account successfully. Would be better off with a login delay, but I'm looking to move to controller initiated anyway.

Ok so it's your implementation that casues it. In a normal workflow you would not get any more errors than normal mistyped passwords.

Why using javascript.. To send the user to the correct page?

Again something you don't need if doing a true server initiated workflow.. You just do allowall macauth and just return the role with the correct captive-portal profile if it's not mac-cached.

I still don't see any positives to using controller initiated login..

I am required to do a self-sponsored login. The initial setup was not done by me, but what basically happens is they hit the MAC auth service first which allows all MACs. If they have a valid account, they are authenticated. If not, they are sent back a role with a captive portal.

 

They must supply an e-mail address and name. They register and then are sent a CoA to disconnect them so they reconnect via the MAC service.  It is clunky and doesn't work well imo. They get a free 10m of access to activate their account at that point.

 

Using a controller-initiated workflow with a session timeout I find works much cleaner and consistently. I haven't really messed around with the server-initiated one on the production system to see if I could make it better but instead redid it.

Hi Root,

Are you still using server initiated workflow? In that scheme, do you think it´s possible to enable also a change of VLAN for user already authenticated by means of CoA?

You can try it, but then be sure to have a long wait timer like 8 sec. You will need to disconnect the client instead of just changing the role..
It also depends on the client if they reconnect within this period and renew the ip address..