Security

Hello

 

I've been trying to configure two stage authentication with a Cisco controller and I can't find the way to do it. I think I have everything properly configured. However, once I the device passes machine auth, it gets authenticated and the user authentication never takes place. Have any of you guys had the same problem?

 

Regards

If this is Windows 7, if you click on a 802.1x WLAN, it defaults to machine-only authentication.  You need to go into Advanced and change that to computer or user authentication.

 

Hi,

 

I have a similar issue , We are just ntegrated Amigopod and Cisco WLC . I am facing two issues .

 

1- IOS users after authentication rediricted to cisco default intenal captive portal authentication .

2- All other cliets are rediricted to a page which is configured in Clear pass, but a logout pop up windows appears and running in the backgroud. 

 

How we sort out this issue .

mshafi,

 

Please contact support and open a case.  Your specific issue could be very hard to troubleshoot in this forum.

 

I have been chasing TAC for more than 1 month with no progress . Any one facing simlilar issue when integrating clear pass with cisco controllers ?

Hi All, 

 

At last we got solution from TAC . 

There is a interesting behavior with ios clients while integrating  with WLC OS 7.2  and clearpass.

 

Following are the findings of TAC :

 

 

1. Web login did not work in my environment until I installed a trusted certificate in the WLC web auth page and configured my Web Login page in Clearpass Guest to use https to the hostname on my certificate.

2. The web login works perfectly with CNA disabled in the WLC. However, you need to manually open safari first to get the weblogin page instead of it opening automatically.

3. If the CNA is not disabled in the WLC, then you will get the web login page automatically. Once you login, it will take you to a page with the word "Success" on it and nothing else. To resolve this, a global configuration for a welcome page needs to be added in the WLC web auth config. 

4. Even if the welcome page is configured, you are still in the CNA and the page you configured for welcome is displayed, but you cannot enter in a URL due to the CNA. The only thing you can do in the CNA is click done. Once you do that, your CNA goes away and you need to open Safari to continue web browsing. Obviously, this is not ideal, but there is nothing we can do about that. This is a cisco and apple issue.

 

" My recommendation is to get a 3rd party certificate for your WLC and make sure DNS resolves the name of that 3rd party certificate to the virtual IP address of the WLC. Once you have that done, you can do some testing to decide if you want the CNA enabled or disabled "

Hi,

 

I have similar issue with 2 stage authentication.

 

could you please let me know what do you mean by CNA ?

 

and how to disable this on the cisco controller.

 

Thanks

"Taken from the web"

Apple implemented their Captive Network Assistant (CNA) which basically senses when a captive portal (like the WebAuth page) is being presented. To detect this behavior, the Apple device sends a request to http://www.apple.com/library/test/success.html to see if it gets a response. If it does, it knows a captive portal isn’t being used. If it does not get a response, it assume a captive portal is in use and CNA auto-launches a broswer window so as to get a leg-up on the portal login – trying to make sure the user doesn’t get stuck trying to use an app but not realizing they have to login to the captive portal first. Sounds like a fair plan but this ends up causing a “controlled window” to pop up that ends up blank.

On the Cisco WLC (Wireless LAN Controller), there is a CLI only command that will bypass this “controlled windows” behavior on the Apple device.

(Controller)> config network web-auth captive-bypass enable

thanks it works

Hello;

Sorry to give new life but just wanted to ask to see how you integrated CPPM with Cisco WLC. ACL? Vlan? Other? Doing 802.1x or using Clearpass Guest?

Any hurdles? Or features you want?

The only limitation is the firmware of the controller and what it supports.

Roles?

Just curious if you have resolved and how you handle security or access restrictions do you switch vlan in controller?