Security

Reply
New Contributor

Clearpass SSL Woes

We recently deployed airwave + instant APs across our school district. We ended up getting clearpass for our captive portal after we ran into some limitations with just the internal Captive portal. 

 

Setting up clearpass has been relatively easy but I've ran into a few snags that are causing me to pull my hair out. The biggest being SSL cert issues.

 

We loaded our cert with no issues and if I navigate to clearpass.x.net/guest/byod-login.php I show no ssl errors and all is well. However when I push that to an ssid in airwave the end user is hit with an ssl error when the captive portal loads up. 

 

In clearpass guest I have Secure Login via Https set.

In Airwave I'm using the following settings:

*Splash=External
*Captive portal profile=ClearpassPortal

       -IP: IP to clearpass (tried fqdn, but didn't work)

       -URL: /guest/byod-login.php

       -Use https = enabled

       -Use VC IP in Redirect URL = Enabled

*Mac Auth = Enabled

*Authentication Server = Clearpass

       -RFC 3576 = Checked

       -Nas IP = Ip to VC

*Accounting = Use auth servers

*Accounting Mode = Auth

*Accounting Interval = 5 min

 

Hopefully this is a decent amount of info, I can provide more if needed. I'm sure I'm missing something simple, but at this point I think I may be too frustrated to see it. 

 

Guru Elite

Re: Clearpass SSL Woes

You need to use the FQDN for the captive portal URL or you'll receive a cert error.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Clearpass SSL Woes

I did try the fqdn in place of the IP address. Instead of the ssl error I got the error in the attached screenshot.
MVP Guru

Re: Clearpass SSL Woes

It looks like your Instant AP can't reach ClearPass from its management port. If it isn't accessible from management, you might need to allow traffic on IP in a pre-authentication role on the Instant so the AP won't proxy the traffic.

 

What may help as well are these videos, where there is a guest section as well. This doesn't cover the scenario above, it does have a step-by-step guide on how the guest workflow is supposed to work.

 

For better troubleshooting, I would use a laptop with Chrome (or equivalent) and the developer tools to trace what is happening exactly.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
New Contributor

Re: Clearpass SSL Woes

That did the trick! Had to do a bit of digging to figure out the best way to set up a pre-auth role. But once I did I had no issues. Thanks for the help!

 

(by the way,  is there a way to set up the pre-auth role in airwave? I had to do it via cli)

MVP Guru

Re: Clearpass SSL Woes

Yes, you can set up just another role under Security -> Roles. Then in step 4/Access of your SSID after you configured captive portal on the Security step, select Role-Based then on the bottom of the page select the pre-auth role:

Screen Shot 2018-11-16 at 5.12.43 PM.png

This workflow is quite similar to the standalone WebUI.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: