Security

Reply
Highlighted
Frequent Contributor II

Clearpass Guest Captive Portal exceptions?

Hi:

Is there a way to allow users who connect to the Clearpass Guest captive portal to access another website? (without acquiring guest credentials)

 

We have a password manager web app setup that allows students to reset their password.

If they could get there from the Guest network captive portal, it would allow them to easily reset their password before connecting to the dot1x network. (and save on helpdesk calls)

 

I've tried adding a firewall rule to the captive portal role that allows this access, but the captive portal keeps redirecting.

 

Thanks,

Tony

 

 


Accepted Solutions
Highlighted
Moderator

Re: Clearpass Guest Captive Portal exceptions?

Yes. Create a netdestination with the domain name and then add it to the whitelist in the captive portal profile.

 

Once you click apply on the captive portal profile, it will dynamically build an ACL that allows 80/443 to that destination and put it at the top of the user-role.

 

cp-whitelist.png



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post


All Replies
Highlighted
Moderator

Re: Clearpass Guest Captive Portal exceptions?

Yes. Create a netdestination with the domain name and then add it to the whitelist in the captive portal profile.

 

Once you click apply on the captive portal profile, it will dynamically build an ACL that allows 80/443 to that destination and put it at the top of the user-role.

 

cp-whitelist.png



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

View solution in original post

Highlighted
Frequent Contributor II

Re: Clearpass Guest Captive Portal exceptions?

Hi Tim:

Thanks for the reply.

 

I added the destination to the whitelist, but I'm still getting redirected.

 

I can ping the server, so I know it's not a routing issue.

 

Is there anything else that needs to be set?

 

Thanks.

Highlighted
Moderator

Re: Clearpass Guest Captive Portal exceptions?

In your netedestination, did you do DNS names or IPs? If names, be sure your controller has DNS lookups enabled and has DNS servers defined.


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor II

Re: Clearpass Guest Captive Portal exceptions?

I used an IP address.

(the controller won't allow me to enter a name)

Highlighted
Moderator

Re: Clearpass Guest Captive Portal exceptions?

If you run:

Show rights

Do you see the white-list ACL at the top?


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor II

Re: Clearpass Guest Captive Portal exceptions?

Here's the output:

(I'm not sure where the apple.com came from, but that's not causing any harm at this point)

Thanks.

 

(ArubaMaster) #show rights Guest-cp-prof

Derived Role = 'Guest-cp-prof'
Up BW:No Limit Down BW:No Limit
L2TP Pool = default-l2tp-pool
PPTP Pool = default-pptp-pool
Periodic reauthentication: Disabled
ACL Number = 78/0
Max Sessions = 65535

Check CP Profile for Accounting = TRUE
Captive Portal profile = Guest-cp-prof

access-list List
----------------
Position Name Type Location
-------- ---- ---- --------
1 Guest-cp-prof_list_operations session

Guest-cp-prof_list_operations
----------------------------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 user apple.com svc-http permit Low 4
2 user apple.com svc-https permit Low 4
3 user pwmanager svc-http permit Low 4
4 user pwmanager svc-https permit Low 4

Expired Policies (due to time constraints) = 0

Highlighted
Moderator

Re: Clearpass Guest Captive Portal exceptions?

Interesting. Can you check the datapath session table while you are trying to visit the site?

Show datapath session table | include


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Frequent Contributor II

Re: Clearpass Guest Captive Portal exceptions?

Interesting:

It looks like traffic is getting there and back, but I keep getting redirected to the CP.

 

(ArubaLocal1) #show datapath session table | include 172.16.243.65
172.31.0.104 172.16.243.65 6 443 51939 0/0 0 0 5 tunnel 56 51 0 0
172.16.243.65 172.31.0.104 6 51939 443 0/0 0 0 4 tunnel 56 52 0 0 C

Highlighted
Frequent Contributor II

Re: Clearpass Guest Captive Portal exceptions?

Thanks for your persistence on this.

 

It turned out that the site I was redirecting to was doing a re-direction of its own, which then triggered the captive portal redirect, all too quickly for me to spot.

 

Thanks again,

 

Tony

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: