Security

Hi,

 

I’m trying to setup ClearPass Guest so our users can get access to our network via a web login page. We don’t need mac caching. We want the users to be authenticated by RADIUS against our AD and our own Aruba-User-Role attribute’s value sent back to the controllers. We already do this with 802.1X and it's working as expected. We have CPPM 6.6.2 and Aruba OS 6.5.0.1.

 

I am struggling to accomplish this. So far the web login page is partially functional, the AD users are authenticated in CPPM but the user role defined in the enforcement profile is not sent back to the controller, there’s no error in access tracker and in event viewer but after login in we get this error in the browser: securelogin.arubanetworks.com’s server DNS address could not be found. I tried the wizard and a few step by step guides but they are only using local account and pre-defined roles. I’ve seen somewhere in a video that there were two system-defined services in ClearPass 6.0: “Guest Access – Web Login Pre-Auth” and “Guest Access”, and the latter was supposedly used to send the user role back to the controller. These two services are not available anymore, I only use one service so I guess there’s something missing.

 

Any help would be appreciated.

You need a RADIUS service using PAP (you can use the Guess Access with no mac caching wizard)

The authentication / authorization source to be AD create a role mapping based on the tips role > AD Group you need and then use those to return a user-role back to the controller.

If you are experiencing issues with authentication is possible that you need to replace the default certificate on your controller or an issue with the service in Clearpass

For the cert look at this
http://community.arubanetworks.com/t5/Controller-Based-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Controllers/ta-p/275809

Get Outlook for iOS

Here’s some screenshots of my configuration and also from access tracker. Maybe it's obvious what's wrong but I don't see it. Thanks

Your config looks good , did you changed the default certificate for captive portal on your controller ?

Get Outlook for iOS

Yes I did. I tried to replace securelogin.arubanetworks.com by the fqdn of the new certificate on the controller but then I get this error after login in CPG: https://sds-ar7240-1.xxxxx.xxx/cgi-bin/login?errmsg=Access%20denied.

 

We have two controllers, the fqdn of the certificates are different, how will I manage this?

 

Thanks

You can generate a single cert for both controllers using securelogin.yourdomain.xyz

Or use a wildcard cert and in Clearpass point it to use captiveportal-login.yourdomain.xyz

Get Outlook for iOS

Please look at the link I shared on my first post

Get Outlook for iOS

Follow the instructions here to map the controller to the cert in CPG: https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Weblogin-NAS-Address-configuration-options-in-multi-controller/ta-p/275426

I follow the steps in the doc you send me, I created a common certificate for both controllers. I named it aruba-controller.mydomain.com instead of securelogin.mydomain.com, does it matter?

 

After login in I get aruba-controller.mydomain.com's server DNS address could not be found.

 

Did you update the CN in your web-login in CPG?

Yes, I did. I forgot to mention it.