Security

Hello,

 

We have deployed a wireless infrastructure (IAPs + ClearPass appliance) including a Guest portal but we have an issue with it. When a guest connects to the wifi, he is correctly redirected to the sign-In page. But once the user has completed the self-registration form and that the sponsor has approved, the user should be able to confirm and browse the internet. However, in our case when the user clicks on the Login button, he is redirected to the admin page of the ClearPass (/tips/welcome.action).

Capture of the problem

 

You can see below a capture of the login sequence:

 

we can see a redirection to /tips/welcome.action

 

Does anyone have ever met this issue?

Could you please help on this point.
Thanks all in advance.

 

Regards,

Yann

What is the post-auth user-role ?
Are you returning the role from ClearPass or it is assigned by the IAP



Sent from Mail for Windows 10

@Victor

 

Hi

 

The post auth user-role is Guest. We can see it from the clearpass guest GUI (Guest > account management).
The role is assigned by the clearpass.

Could it be that you put the captive-portal certificate on the ClearPass instead of on the Instant AP? From the trace it looks like the captive-portal request ends up on the ClearPass rather than on the Instant AP.

 

For this setup, you will need a certificate on both the IAP and on the ClearPass. In most cases, you need to have a different certificate, or if you want to have the same certificate you will need a wildcard or a multi-SAN certificate where the first/primary SAN is what the Instant AP will need.

Hello,

The certificate is put on the IAP and on the ClearPass. It's a wildcard certificate.

In the guest page config on Clearpass do you have the login url set to captiveportal-login.<domain> ?

And can you check if that name matches on the Instant CLI the output of the command: show captive-portal-domains ?

 

The name shown there under Internal Captive Portal domain is the name that is intercepted during the captive portal stage by the Instant AP. Please also double-check that the wildcard is uploaded to the IAP as 'Captive portal server' certificate.

Hi,

 

I've a difference when I execute the CLI command.

"Internal Captive Portal Domain:
captiveportal-login.<domain>

External Captive Portal Domains:
captive-portal.<domain>
localhost"

 

In Aruba Central, CCPM is configured like a external Captive Portal.

When I configure like internal captive portal, it's not possible to choose CCPM as a server.

@herman

 

After reading again the post, I need to precise some points
- What do you mean by internal captive portal ?
At this time IAP warm is configured with external captive portal mode which is a clearpass server.

 

- If I upload the same wildcard on both clearpass server and IAP controller, is it supposed to work?

 

Thanks in advance

For Instant AP, you can configure the captive portal to run in the AP itself, which is not very configurable but works. Or you can configure an external portal. Sometimes it helps to first configure the captive portal as internal, then test if that works so you know that authentication and certificates on the IAP are working fine and you can isolate the troubleshooting.

 

Yes, you can use the same wildcard on your AP and on ClearPass, as long as you don't give ClearPass the same name as the IAP will take (captiveportal-login.<your wildcard domain>). If you connect to your ClearPass as guest.<yourdomain> or something like that different from captiveportal-login, you should be fine.

Hi,

 

In the guest page config on Clearpass the login url set to: captive-portal.<domain> The CCPM's name is captive-portal. When I choose the SSID of captive portal and I put my credentials. I'm redirected to captive-portal.<domain>/tips/welcome.action while I configured a redirect to the company's website "welcome.<domain>"