Security

Feel like this is going to be some obvious setting, but I have a captive portal scenerio   3 controllers (2local, 1master) sending captive users to clearpass guest.

I am redirected correctly to the form, fill out the guest form correctly, but on submit, i dont see a listing for auth in Policy Manager and I get an error in web browser   "can't  open securelogin.arubanetworks.com"   I know that is the stand-in domain for redirects for the aruba controller, but for some reason it is not redirecting the user back to the correct controller it would seem.  Anyone experience anything similar?

 

Thanks

Matt

What is the exact URL that it attempts to redirect you to?

 

https://securelogin.arubanetworks.com/cgi-bin/login

Did you replace the default certificate in that controller?  If so, you need to change the redirect in ClearPass' Weblogin to whatever that certificate fqdn is...

 

 

Yup that was it, I thought i had a either/Or situation where i could use both interchangeable.  Thanks so much

same issues here, after you log on on the portal page you got a new windows with the securelogin url.

To clear it up: securelogin Aruba networks.com has to be a dns record pointing to the controller? And the guest needs to translate the dns request?

---

@jAyR wrote:
To clear it up: securelogin Aruba networks.com has to be a dns record pointing to the controller? And the guest needs to translate the dns request?

---

no i dont believe so, this is done internally by the aruba for you.

i tried nslookup when authenticated in the login site and get the Controller IP, but it still does not work.

 

Could it a be a Problem with  the "Source NAT" Configuration? My Guest VLAN is terminated by the controller and NATed to a Public IP

are you using ClearPass? can the ClearPass server be reached from the NATed address?

Yes i am using clearpass and the the clients can reach the CP Server. I have source Nat on the Guest VLAN configured to NAT the Guests out into DMZ

Sorry for doublepost, it got solved by adding a cplogout acl to the role

after changing the default redirection in clearpass i now only get a blank window after logining in the guest portal.

 

URL is : https://securelogin.arubanetworks.com/cgi-bin/http%3A%2F%2F%www.google.de%2F

 

where http://www.google.de was the url entered befor logging in.

 

The "Logout" popup is working. 

 

What am i missing?

What is the role the user gets after logging in?

the user gets an guest role,which includes CP_logout, deny_internal, allow any.

 

the logout popup is working. and when i have a "welcome page" in clearpass configured it is working too.

 

only the redirect on the page entered befor logging in is not working when nothing is configured in clearpass.

 

 

What does the captive portal authentication profile in the controller have for the welcome page URL?

in the controller is no welcome page aktivated and the default welcome page in the url setting. 

 

i thought it could be something with the role/acl, because the logout pop is working since i added the cp_logout in the guest role/acl

Do you see the browser attempting to redirect to the page in the address bar?

 

There are a number of places where this could be broken.  I would open a support case in parallel, otherwise we are just guessing here.

Yes i see that url in the adressbar of the browser

On the controller you need to type "show datapath session table <ip address of the client>" right after the client authenticates to see if anything is being blocked.

 

What version of CPPM

Controller Version 6.3.1.11, Clearpass Version 6.4.0.

 

At the moment i am waiting for TAC response and a appointment for further testing.

 

Maybe i will get a contact or some hints today at aruba roadshow

i have opened a Support Case for this one. They told me i have to use a welcome page with a script to store the original url in a cookie.

 

the welcomepage with script looks like this, but it is still not working

 

<html>
<head><script>
{
function createCookie(name,value,days){
 if(days) {
  var date=new Date();
  date.setTime(date.getTime()+(days*24*60*60*1000));
  var expires="; expires="+date.toGMTString();
 }
 else var expires="";
 document.cookie=name+"="+value+expires+"; path=/";
}
var q=window.location.search;
var errmsg=null;

if (q && q.length>1) {
 q=q.substring(1).split(/[=&]/);
 for(var i=0; i<q.length-1; i+=2){
  if(q[i] == "errmsg"){
   errmsg = unescape(q[i+1]);
   break;
  }
  if(q[i]=="host"){ 
   createCookie('url',unescape(q[i+1]),0)
  }
 }
}
if(errmsg&&errmsg.length>0){
 errmsg="<div id='errorbox'>
"+errmsg+"
</div>
";
 document.write(errmsg);
 }
}
</script>
<script>
{
function readCookie(name){
 var nameEQ = name + "=";
 var ca=document.cookie.split(';');
 for(var i=0;i<ca.length;i++) {
  var c=ca[i];
  while (c.charAt(0)==' ') c = c.substring(1,c.length);
   if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
 }
return {};
}
var cookieval=readCookie('url');
if(cookieval.length>0) document.write("<meta http-equiv=\"refresh\" content=\"2;url=http://"+cookieval+"\""+">");
}
</script>
</head>
<body bgcolor=white text=000000>
<font face="Verdana,Arial,Helvetica,sans-serif" size=+1>
<b>User Authenticated</b>
<p>In 2 seconds you will be automatically redirected to your original webpage</p>
<p>Presscontrol-d to bookmark this page.</p>
<FORM ACTION="/auth/logout.html">
<INPUT type="submit"name="logout"value="Logout">
</FORM>
</font>
</body>
</html>

Hi,

i have a cloud of IAP Managed by Airwave, how i can verify the certificate and redirection on airwave?

 

Regards

Andrea

Did you do the configuration on Airwave yourself, or did someone else do the configuration?

Hi,

i have configured my airwave, but i have not modified the default certificate.

 

Now i need to verify if this certicate is still valid, and in case understand how i can change it.

 

Regards

Andrea

You cannot change it in Airwave unless you have your Instant Clusters Managed by Airwave, or you would just web into the Instant cluster and upload a new certificate.

 

This is the exact problem I have, but I have added a wildcard *.domain.edu certificate to the management controller.  The clearpass has its own certificates, but the controller I applied the wildcard (*.domain.edu) to.  Just wondering how I put that into the system?

 

In your web login configuration, replace securelogin.arubanetworks.com with captiveportal-login.<yourwildcarddomain>.tld

Hi guys. where can l find these setting? The path