Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass SSL Woes

This thread has been viewed 0 times

  • 1.  Clearpass SSL Woes

    Posted Nov 15, 2018 04:13 PM

    We recently deployed airwave + instant APs across our school district. We ended up getting clearpass for our captive portal after we ran into some limitations with just the internal Captive portal. 

     

    Setting up clearpass has been relatively easy but I've ran into a few snags that are causing me to pull my hair out. The biggest being SSL cert issues.

     

    We loaded our cert with no issues and if I navigate to clearpass.x.net/guest/byod-login.php I show no ssl errors and all is well. However when I push that to an ssid in airwave the end user is hit with an ssl error when the captive portal loads up. 

     

    In clearpass guest I have Secure Login via Https set.

    In Airwave I'm using the following settings:

    *Splash=External
    *Captive portal profile=ClearpassPortal

           -IP: IP to clearpass (tried fqdn, but didn't work)

           -URL: /guest/byod-login.php

           -Use https = enabled

           -Use VC IP in Redirect URL = Enabled

    *Mac Auth = Enabled

    *Authentication Server = Clearpass

           -RFC 3576 = Checked

           -Nas IP = Ip to VC

    *Accounting = Use auth servers

    *Accounting Mode = Auth

    *Accounting Interval = 5 min

     

    Hopefully this is a decent amount of info, I can provide more if needed. I'm sure I'm missing something simple, but at this point I think I may be too frustrated to see it. 

     



  • 2.  RE: Clearpass SSL Woes

    EMPLOYEE
    Posted Nov 15, 2018 05:01 PM
    You need to use the FQDN for the captive portal URL or you'll receive a cert error.


  • 3.  RE: Clearpass SSL Woes

    Posted Nov 15, 2018 06:55 PM
      |   view attached
    I did try the fqdn in place of the IP address. Instead of the ssl error I got the error in the attached screenshot.


  • 4.  RE: Clearpass SSL Woes
    Best Answer

    EMPLOYEE
    Posted Nov 16, 2018 04:07 AM

    It looks like your Instant AP can't reach ClearPass from its management port. If it isn't accessible from management, you might need to allow traffic on IP in a pre-authentication role on the Instant so the AP won't proxy the traffic.

     

    What may help as well are these videos, where there is a guest section as well. This doesn't cover the scenario above, it does have a step-by-step guide on how the guest workflow is supposed to work.

     

    For better troubleshooting, I would use a laptop with Chrome (or equivalent) and the developer tools to trace what is happening exactly.



  • 5.  RE: Clearpass SSL Woes

    Posted Nov 16, 2018 10:30 AM

    That did the trick! Had to do a bit of digging to figure out the best way to set up a pre-auth role. But once I did I had no issues. Thanks for the help!

     

    (by the way,  is there a way to set up the pre-auth role in airwave? I had to do it via cli)



  • 6.  RE: Clearpass SSL Woes

    EMPLOYEE
    Posted Nov 16, 2018 11:16 AM

    Yes, you can set up just another role under Security -> Roles. Then in step 4/Access of your SSID after you configured captive portal on the Security step, select Role-Based then on the bottom of the page select the pre-auth role:

    Screen Shot 2018-11-16 at 5.12.43 PM.png

    This workflow is quite similar to the standalone WebUI.