Security

Hi,

 

I'm Janish. I'm new to aruba wireless and ClearPass server. Recently i have deployed a aruba wireless infrastructure with aruba ClearPass.

For guest we implemented self-registration page. But at the first we were recieving https error since we didn't have a trusted certificate. Also we had issues with IOS 11 clients connecting to this network since Apple have increased the encryption to SHA-2.

So on the advice of Aruba TAC we bought two SSL certificate from Godaddy for ClearPass and Controller.

But even after uploading this certificate the clients are still getting https error before getting the Captive Portal Page.

As per my understanding since we have uploaded the trusted SSL certificate we should not get this error and it should get automatically redirected to the Captive Portal Page. Am I right?

Or is this expected behavior?

 

Please help me.

 

Thank You.

If the user attempts to go to an HTTPS page prior to redirection, they will receive a certificate error.

However, the device should be using it's native captive portal detection mechanisms. If that is not happening, verify you're not bypassing them.

Hi Tim,

 

Thanks alot for your feedback.

 

Most of the users are dumb users and it's a big office with lot of guests coming in daily. So most of them are trying to access google.com first.

But they are getting https error message even after installing the SSL certificate from GoDaddy. Is it expected behaviour?

or is there any work around so that we can remove this https error?

Hi Tim,

 

Is there a way to force the captive portal page at the same time when the client is trying to connect to the SSID?

so that they won't type in google.com?

Where i can check the native captive portal mechanism in controller?

 

Thank You.

What happens if they type cnn.com first? do they get a portal.
Tim is correct, the device portal assistant should trigger and load the captive portal page for the user.

When they go to cnn.com which is a http website the portal is coming immediately.

The problem here this is a big insurance company there are lots of guests coming in daily. So it's not possible to tell every customer to go to cnn.com. The problem here is 90% of the guest first go to google.com and they are getting this error.

 

From what i read i understand the only solution for this is What Tim mentioned earlier about captive portal detection.

But the Apple devices are not getting the CNA pop up. Even though we didn't enable the CNA Bypass in the ClearPass the CNA is not working for Apple Devices.

Will there be anything in the controller or ClearPass bypassing this?

Is there anyway to check this?

 

Thank You

What are you whitelisting in your pre-auth role?

Hi Tim,

 

I didn't whitelist anything. It is all default settings.

Here is my WLC page. Please let me know if there is any mistake?

 

Ensure in your Initial Role you are only permitting HTTP/HTTPS access to ClearPass, because if you allow HTTP/HTTPS to anywhere the Apple CNA will not work.

 

Apple devices try to reach captive.apple.com and if they can, they will assume there is no captive portal. Try explicitely denying captive.apple.com above the permit for HTTP/HTTPS and see if that makes it pop up.

Hi,

 

Thanks alot for your feedback Michael.

 

Since I'm new to Aruba. 

Can you just tell me the CLI Commands to achieve this or please can share a link where i can get the CLI commands or GUI steps to achieve this.

Sorry If I'm bothering you.

 

Thank You :)

Well some of the commands will depend on your configuration, can you confirm your AAA profile settings:

 

show aaa profile <profile name for captive portal>

show rights <initial role>

 

To add the block for captive.apple.com:

 

config t

netdestination Apple-CNA

name captive.apple.com

!

ip access-list session block-cna

any alias Apple-CNA any deny

!

user-role <initial role>

access-list session block-cna

 

I would go into the Controller's Web to re-order the ACLs and verify by going to Configuration -> Access Control -> Edit the Initial Role. When done re-ordering, apply at bottom right and Save at top.

 

Hi,

 

Thank You So much Michael.

I would apply the settings tomorrow and update you.

I'm attaching my AAA profile for Captive Portal and Captive Portal Authentication Profile along with this.

 

As you can see from the Pic in AAA  profile for Captive Portal the initial role is the Captive Portal Authentication Profile which I created.

 

And in Captive Portal Authentication Profile the

Default Role = guest

Default Guest Role = guest

 

Is this correct or is there some mistake?

 

This is what I have as an example.

user-role role_PreAuth_Visiteur
captive-portal "Visiteur-cp_prof"
access-list session global-sacl
access-list session apprf-role_PreAuth_Visiteur-sacl
access-list session logon-control
access-list session CPPMAccess
access-list session captiveportal
!

ip access-list session CPPMAccess
any alias clearpass-servers svc-http permit
any alias clearpass-servers svc-https permit
!

The alias 'clearpass-servers' are my CPPM IPs.

Logon-control and captiveportal ACLs are the built in ACLs that I am reusing.

Hi Michael and Pasquale,

 

Thank You so much for your responses.

 

I gave the access list in my Initial role and it worked like charm.

The ' too many redirection ' issue has been solved.

 

We had another issues with IOS 11 clients, they were getting disconnected since the apple has increased the encryption to SHA-2.

So the TAC has whitlisted the Apple Clients by allowing svc-https and svc http to captive.apple.com.

Due to this the Apple CNA is not working now.

and also we disabled the https redirection ,we are using http authenticaiton.

 

Thank You.