Security

We are working on a new soluton for campus where students authenciate to 802.11 and then can go to a Clear Pass portal page to register non-802.11 devices like Roku, game consoles, etc.  Currently the portal is using a URL that contains IP address and we would like to use something (CNAME) like devices.millsaps.edu.  How can we change the URL for the Clear Pass portal?

Add a CNAME in DNS pointing to your ClearPass VIP and be sure that name is valid in your HTTPS certificate.

Are you using an Aruba controller ?

Victor - yes we are.

 

Tim - thanks for prompt response.  The default URL is https://XXX.XXX.XXX.XXX/guest/auth_login.php.  I tried to add a CNAME using this and it does not work.

You should never be accessing ClearPass by IP. Do you have all the proper A records created for your cluster?

Believe so according to set up guide.  If we did not use IP it would use server name which is also not desireable.  The issue with the whole thing is we bought support to install and configure when it was Aruba only.  We did not install until after HP/Aruba merger and we got left out in the cold with confiuration set up so we are doing it based on guide and this forum.  What we thought would be an easy process has turned into a nightmare and we keep hitting walls with Aruba/HP.  Sorry - had to vent a little  

 

Why are FQDNs not desirable? This is required for nearly any product.

Would not mind a FQDN if we were auto-redirecting to portal page but to tell students to go to https://longservername.XX.XX.edu/guest/auth_login.php was not ideal on campus.  Would like to use CNAME like devices.millsaps.edu or something similiar to make it easier to remember but if you are saying we cannot then we may have no choice.

You need to setup proper A records before you can create a CNAME.

Do you have a white paper on this so I can go through and verify this is done properly?  Or a link I can find it?

We don’t unfortunately. This isn’t unique to ClearPass so we don’t explicitly document it.

Ok, thanks.  So we get A records corrected if needed and then we have no option but forward to the FQDN of server for the portal?  I believe the DNS is correct but will verify with Aruba to be sure.  What CNAME would you suggest we use for this to work?

Add a new web login page with a blank skin. Check Provide a custom login form.

 

Remove all text from Header and Footer and add the following, replacing the appropriate values:

{if $smarty.server.SSL_TLS_SNI == 'devicereg.millsaps.edu'}
<meta http-equiv="refresh" content="0;url=https://clearpass.millsaps.edu/guest/mac_create.php">
{else}
<meta http-equiv="refresh" content="0;url=http://www.millsaps.edu">
{/if}

Then in Policy Manager, set that web login to be the landing page (Administration > ClearPass Portal)

 

Tim - thanks for the HTML redirect.  Got it in there but not showing up as an option in ClearPass portal landing page.

Make sure you choose Guest Portal.

THANK YOU!  Guess until we get the entire process worked out with Aruba we will go  with this.  Currently we use Netreg so a student joins campus SSID their 802 device is added automatically to Netreg and counts again their 5 device limit.  The students can add other devices (non 802 like Roku, gaming, etc.) up to 5 devices.  aruba is telling us we cannot add the 802 device automatically after joining SSID.  Student would have to look up MAC on iphone,etc and add manually.  So plan is student joins SSID and then goes to captive portal to register only those devices that do not support 802 like Roku.  Once device is registered in portal, student goes to anew SSID (BYOD) and joins giving them internet access on their non-802 devices.   Does this sound like the only option to you at this time?

Put the users into a captive portal role when they first connect and redirect them to the device registration portal (mac_create). The MAC address will be auto-filled and the student can register it.

See, this is what I asked the Aruba tech for the past 3 weeks and kept getting it would not work. Then my rep stepped in and said we would need to pay to get this project completed. It has been a very frustrating experience to say the least. The airhead post was my last hope. Can you direct me to something that can help me with what you suggest because it sounds like what we need. Cannot thank you enough

David A. Mattox
Manager of Systems Operations
Millsaps College
Direct (601) 974-1149
@MillsapsITS

Does anyone have a white paper or URL I can review to do this?

 

"Put the users into a captive portal role when they first connect and redirect them to the device registration portal (mac_create). The MAC address will be auto-filled and the student can register it."

Aruba support was able to make it so users join SSID and then auto-redirected to captive portal page.  They even made it pre-fill with the mac of the 802.11 device.  Two issues they did not fix - aafter device is registered the user cannot access internet.  Keep redirecting them back to portal page.  Secondly, if device is already registered we do not want you to have to register it again.  Just access internet.  Suggestions?