Security

Reply
Aruba

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied

Can you show us the following for the role your clients are in when this happens:

 

show rights <name-of-role>

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Contributor I

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied

I have updated the radius keys on both sides and I'm still having the same issue.

Contributor I

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied

(Aruba7210-US) #show rights ClearPassLogin

Derived Role = 'ClearPassLogin'
 Up BW:No Limit   Down BW:No Limit  
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 62/0
 Max Sessions = 65535

 Captive Portal profile = 10.11.0.32

access-list List
----------------
Position  Name             Type     Location
--------  ----             ----     --------
1         ClearPass-Login  session  
2         logon-control    session  
3         captiveportal    session  

ClearPass-Login
---------------
Priority  Source  Destination  Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    10.11.0.32   svc-http   permit                           Low                                                           4
2         user    10.11.0.32   svc-https  permit                           Low                                                           4
logon-control
-------------
Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    any                      udp 68    deny                             Low                                                           4
2         any     any                      svc-icmp  permit                           Low                                                           4
3         any     any                      svc-dns   permit                           Low                                                           4
4         any     any                      svc-dhcp  permit                           Low                                                           4
5         any     any                      svc-natt  permit                           Low                                                           4
6         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                           4
7         any     240.0.0.0 240.0.0.0      any       deny                             Low                                                           4
captiveportal
-------------                                     
Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
2         user    any          svc-http         dst-nat 8080                           Low                                                           4
3         user    any          svc-https        dst-nat 8081                           Low                                                           4
4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4

Expired Policies (due to time constraints) = 0

MVP Guru

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied

Do you have mac caching turned on by any chance ?

What do you see in access tracker ? Do you see any REJECTs ?
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Aruba

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied

With this setup, you are having two issues?

1) too many redirects

2) access denied

 

For 1:

- Is this happening across browser types?

- Run show datapath session table | include <IP-of-user> at the time of the redirects to capture what is happening

 

For 2:

- What does Access Tracker give for an error when Access Denied is seen?

 

On your guest configuration page under NAS Login:

- Do you have Enable guest login to a NAS checked?

- Did you specify Aruba Networks as the vendor under NAS login?  

- Did you alter the IP address field?   It should be left at securelogin.arubanetworks.com

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

MVP Guru

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied

In addition to the suggestion made by clembo .

Can you also run the following command:
show ip radius nas-ip
show ip radius source-interface

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor I

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied


@victorfabian wrote:
Do you have mac caching turned on by any chance ?

I'm not sure, where do I go or how do I check that?

 


@victorfabian wrote:

What do you see in access tracker ? Do you see any REJECTs ?

I do see some REJECTS, The time stamps don't seem to coralate with all my login attempts (a lot less rejects than attemps), but the user name shows as my MAC address and the error is user not found. 

Contributor I

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied


@clembo wrote:

With this setup, you are having two issues?

1) too many redirects

2) access denied

 


Yes that is correct these are the two issues I have

 


@clembo wrote:

 

For 2:

- What does Access Tracker give for an error when Access Denied is seen?

 

On your guest configuration page under NAS Login:

- Do you have Enable guest login to a NAS checked?

- Did you specify Aruba Networks as the vendor under NAS login?  

- Did you alter the IP address field?   It should be left at securelogin.arubanetworks.com

 

 


Yes, "Enable guest login to a NAS" is checked

Yes, "Aruba Networks" is set as the vendor

No, I left that field set as securelogin.arubanetworks.com

 

 


@clembo wrote:

 

For 1:

- Is this happening across browser types?

- Run show datapath session table | include <IP-of-user> at the time of the redirects to capture what is happening

 


This is pretty jumbled, is there a better way to post it?

 

(Aruba7210-US) #show datapath session table | include 10.11.254.122
10.11.0.31 10.11.254.122 17 53 12164 0/0 0 0 1 0/0/0 11 0 0 FI
10.11.0.31 10.11.254.122 6 8080 43106 0/0 0 0 0 0/0/0 1 5 529 F
10.11.0.31 10.11.254.122 6 8080 43108 0/0 0 0 0 0/0/0 1 5 529 F
10.11.0.31 10.11.254.122 6 8080 43112 0/0 0 0 0 0/0/0 1 5 529 F
10.11.0.31 10.11.254.122 6 8080 43118 0/0 0 0 0 0/0/0 1 5 529 F
10.11.0.31 10.11.254.122 6 8081 49470 0/0 0 0 0 0/0/0 5 7 778 F
10.11.0.31 10.11.254.122 6 8081 49464 0/0 0 0 0 0/0/0 5 7 778 F
10.11.0.31 10.11.254.122 6 8081 49460 0/0 0 0 0 0/0/0 5 7 778 F
10.11.0.31 10.11.254.122 6 8081 49458 0/0 0 0 0 0/0/0 7 6 726 F
10.11.0.31 10.11.254.122 6 8080 43120 0/0 0 0 0 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8080 43126 0/0 0 0 0 0/0/0 1 5 529 F
10.11.0.31 10.11.254.122 6 8081 49473 0/0 0 0 0 0/0/0 6 7 778 F
10.11.0.31 10.11.254.122 6 8081 57877 0/0 0 0 1 0/0/0 a 0 0 F
10.11.254.122 10.11.0.31 17 50961 53 0/0 0 0 1 0/0/0 e 0 0 FCI
10.11.254.122 10.11.0.31 6 43120 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43119 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43109 8080 0/0 0 0 0 0/0/0 2 6 518 FC
10.11.254.122 10.11.0.31 6 43121 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43118 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43108 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43111 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43117 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43122 8080 0/0 0 0 0 0/0/0 2 6 518 FC
10.11.254.122 10.11.0.31 6 43110 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43116 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43123 8080 0/0 0 0 0 0/0/0 2 6 518 FC
10.11.254.122 10.11.0.31 6 43114 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43125 8080 0/0 0 0 0 0/0/0 1 6 518 FC
10.11.254.122 10.11.0.31 6 43115 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43124 8080 0/0 0 0 0 0/0/0 1 5 466 FC
10.11.254.122 10.11.0.31 17 12164 53 0/0 0 0 1 0/0/0 12 0 0 FCI
10.11.254.122 10.11.0.31 6 43106 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43112 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43107 8080 0/0 0 0 0 0/0/0 2 5 466 FC
10.11.254.122 10.11.0.31 6 43126 8080 0/0 0 0 0 0/0/0 1 5 466 FC
10.11.254.122 10.11.0.31 6 43113 8080 0/0 0 0 0 0/0/0 2 6 518 FC
10.11.0.31 10.11.254.122 17 53 29803 0/0 0 0 1 0/0/0 a 0 0 FI
10.11.254.122 10.11.0.31 6 57872 8081 0/0 0 0 1 0/0/0 12 0 0 FC
10.11.0.31 10.11.254.122 17 53 50961 0/0 0 0 1 0/0/0 e 0 0 FI
10.11.254.122 10.11.0.31 6 57873 8081 0/0 0 0 1 0/0/0 12 0 0 FC
10.11.254.122 10.11.0.31 6 57877 8081 0/0 0 0 1 0/0/0 a 0 0 FC
10.11.0.31 10.11.254.122 6 8081 49471 0/0 0 0 1 0/0/0 6 7 778 F
10.11.0.31 10.11.254.122 6 8081 49465 0/0 0 0 1 0/0/0 6 7 778 F
10.11.0.31 10.11.254.122 6 8081 49461 0/0 0 0 1 0/0/0 6 7 778 F
10.11.0.31 10.11.254.122 6 8081 49459 0/0 0 0 1 0/0/0 6 7 778 F
10.11.0.31 10.11.254.122 6 8080 43121 0/0 0 0 0 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8081 49472 0/0 0 0 1 0/0/0 6 6 726 F
10.11.0.31 10.11.254.122 6 8080 43107 0/0 0 0 1 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8080 43109 0/0 0 0 1 0/0/0 2 4 477 F
10.11.0.31 10.11.254.122 6 8080 43113 0/0 0 0 1 0/0/0 2 4 477 F
10.11.0.31 10.11.254.122 6 8080 43119 0/0 0 0 1 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8081 49453 0/0 0 0 1 0/0/0 7 9 4303 F
10.11.0.31 10.11.254.122 6 8080 43111 0/0 0 0 0 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8080 43115 0/0 0 0 0 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8080 43117 0/0 0 0 0 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8081 49455 0/0 0 0 0 0/0/0 7 7 778 F
10.11.0.31 10.11.254.122 6 8081 49469 0/0 0 0 0 0/0/0 6 6 726 F
10.11.0.31 10.11.254.122 6 8081 49467 0/0 0 0 0 0/0/0 6 7 778 F
10.11.0.31 10.11.254.122 6 8081 49463 0/0 0 0 0 0/0/0 6 7 778 F
10.11.0.31 10.11.254.122 6 8081 49457 0/0 0 0 0 0/0/0 7 7 778 F
10.11.0.31 10.11.254.122 6 8080 43123 0/0 0 0 0 0/0/0 2 4 477 F
10.11.0.31 10.11.254.122 6 8080 43125 0/0 0 0 0 0/0/0 1 4 477 F
10.11.0.31 10.11.254.122 6 8081 57872 0/0 0 0 1 0/0/0 12 0 0 F
10.11.254.122 10.11.0.31 6 49455 8081 0/0 0 0 0 0/0/0 7 8 1490 FC
10.11.254.122 10.11.0.31 6 49456 8081 0/0 0 0 0 0/0/0 7 8 1490 FC
10.11.254.122 10.11.0.31 6 49466 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49454 8081 0/0 0 0 0 0/0/0 7 8 1490 FC
10.11.254.122 10.11.0.31 6 49457 8081 0/0 0 0 0 0/0/0 7 8 1490 FC
10.11.254.122 10.11.0.31 6 49467 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49464 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49458 8081 0/0 0 0 0 0/0/0 7 9 1542 FC
10.11.254.122 10.11.0.31 6 49453 8081 0/0 0 0 0 0/0/0 7 12 1783 FC
10.11.254.122 10.11.0.31 6 49465 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49459 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49461 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49471 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49460 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49470 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49469 8081 0/0 0 0 0 0/0/0 6 9 1542 FC
10.11.254.122 10.11.0.31 6 49463 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49468 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49462 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.0.31 10.11.254.122 6 8081 57873 0/0 0 0 1 0/0/0 12 0 0 F
10.11.0.31 10.11.254.122 6 8081 49468 0/0 0 0 0 0/0/0 6 7 778 F
10.11.254.122 10.11.0.31 17 29803 53 0/0 0 0 0 0/0/0 a 0 0 FCI
10.11.0.31 10.11.254.122 6 8081 49466 0/0 0 0 0 0/0/0 6 7 778 F
10.11.0.31 10.11.254.122 6 8081 49462 0/0 0 0 0 0/0/0 6 7 778 F
10.11.0.31 10.11.254.122 6 8081 49456 0/0 0 0 0 0/0/0 7 7 778 F
10.11.0.31 10.11.254.122 6 8080 43122 0/0 0 0 0 0/0/0 2 4 477 F
10.11.0.31 10.11.254.122 6 8080 43124 0/0 0 0 0 0/0/0 1 5 529 F
10.11.254.122 10.11.0.31 6 49473 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
10.11.254.122 10.11.0.31 6 49472 8081 0/0 0 0 0 0/0/0 6 9 1542 FC
10.11.0.31 10.11.254.122 6 8080 43110 0/0 0 0 0 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8080 43114 0/0 0 0 0 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8080 43116 0/0 0 0 0 0/0/0 2 5 529 F
10.11.0.31 10.11.254.122 6 8081 49454 0/0 0 0 0 0/0/0 7 7 778 F

Contributor I

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied


@victorfabian wrote:
In addition to the suggestion made by clembo .

Can you also run the following command:
show ip radius nas-ip
show ip radius source-interface


(Aruba7210-US) #show ip radius nas-ip

 

RADIUS client NAS IP address = 10.11.0.31
RADIUS client NAS IPv6 address = ::1

 

 

(Aruba7210-US) #show ip radius source-interface

 

Global radius client source IP address = 0.0.0.0, vlan 0
Global radius client source IPv6 address = ::, vlan 0
Per-server client source IPv4/6 addresses:

Contributor I

Re: Clearpass guest captive portal, aruba wireless integration, controller access denied


@clembo wrote:

With this setup, you are having two issues?

1) too many redirects

2) access denied


Yes that is correct.

 


@clembo wrote:

 

For 2:

- What does Access Tracker give for an error when Access Denied is seen?

 

On your guest configuration page under NAS Login:

- Do you have Enable guest login to a NAS checked?

- Did you specify Aruba Networks as the vendor under NAS login?  

- Did you alter the IP address field?   It should be left at securelogin.arubanetworks.com

 

 


I do see some REJECTS, The time stamps don't seem to coralate with all my login attempts (a lot less rejects than attemps), but the user name shows as my MAC address and the error is user not found. 

 

Yes, "Enable guest login to a NAS" is checked

Yes, "Aruba Networks" is set as the vendor

No, I left the link as securelogin.arubanetworks.com

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: