Security

Reply
Contributor II

ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

Hi!

I'm having serveral Instant Clusters in branches with the same SSIDs and a Central ClearPass Installation. I am in the process of designing a ClearPass Guest Selfregistration Solution.

 

I have just studied the excellent ClearPass Workshop Training Video Series from Herman Robers about ClearPass Setup, but this Series is based on Controller-Initiated Login Configurations.

 

Questions:

What are the benefits when I decide to use the Server-initiated (CoA) Login Method with Instand Clusters instead?

Do I still need Captive Portal Certificates on my Instant clusters in this case?

What is the best practise?

Can I configure just one Guest Service for all Instant Clusters?

Is there a configuration example around here with the Server-initiated Login Method with CoA and Instant Clusters?

 

Many thanks in advance for your ideas!

 

Manfred M.

Guru Elite

Re: ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

You should use controller-initiated logins with Aruba wireless infrastructure. Moving to server-initiated workflows does not remove the requirement for a certificate on the VC or controller.

Server-initiated workflows should only be used for wired use cases or other workflows that require it.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Contributor II

Re: ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

Thank you for the fast reply - this is also my opinion, and in addition I'm familiar with the controller-initiated solution.

It's always good to get a second opinion from an expert...

I will go further with the controller-initiated login method in this case.

 

Is there anything I have to take care when designing a single Guest Service for several Instant Clusters?

Guru Elite

Re: ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

Assuming all of the policy is the same, no issues using one service.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP Expert

Re: ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

Hello Tim

 

Bringing up an older post, but my short question to your statement is why? Why do you recommend doing controller-initiated login for Aruba Wireless? Is there a potential security breach in doing CoA to change the role?

 

I've been using server-initiated login for years with great sucess because it is more flexible, seems to scale better and less prone to Certificate error messages during all the redirects. What am I missing? Other than not being able to use the Clearpass Guest with mac-caching Wizard.. ;)

 

 


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Aruba Employee

Re: ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

I having the same though. As server-initiated login method provide better user experience as its "less prone to Certificate error messages during all the redirects" which I often faced when using controller-initiated login method.

Frequent Contributor I

Re: ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

The issue with server initiated is you end up with a lot of webauth rejects during that process. RADIUS is much cleaned but I agree with the cert issues. I have my certs set up correctly and I'm still ending up with certificate errors on android devies when using entrust publicly signed certificates signed by L1K and G2 root. 

Highlighted
MVP Expert

Re: ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

There is no webauth rejects - why would you get that unless they type the wrong password??

Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Frequent Contributor I

Re: ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

We trigger the login with javascript so we get rejects until the pub can create the account successfully. Would be better off with a login delay, but I'm looking to move to controller initiated anyway.

MVP Expert

Re: ClearPass Guest Selfregistration: Server-initiated Login Method with Instant - best practise?

Ok so it's your implementation that casues it. In a normal workflow you would not get any more errors than normal mistyped passwords.

Why using javascript.. To send the user to the correct page?

Again something you don't need if doing a true server initiated workflow.. You just do allowall macauth and just return the role with the correct captive-portal profile if it's not mac-cached.

I still don't see any positives to using controller initiated login..

Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: