Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass guest captive portal, aruba wireless integration, controller access denied

This thread has been viewed 1 times

  • 1.  Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:01 AM

    I am trying to setup a guest access portal using Clearpass 6.4 and Aruba wireless controller 6.3.1.5.

     

    I have been using the Aruba Wireless and ClearPass 6 Integration Guide v1.3. I have followed the guide and checked and re-done the setup several times.  But I still have the same issues.  The first is that I get a "too many redirect" errors from browsers so they can't get to the portal.  If I directly go to the guest login page I can register and then login in but I get redirected to the controller with an "Access Denied" error.

     

    I'm not sure what I am missing, any help would be greatly appreciated.



  • 2.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:04 AM

    Make sure you add ClearPass server group under the Captive Portal Profile

    2015-01-23 11_03_12-L3 Authentication.png

     

     



  • 3.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:09 AM

    That has been set.Screen Shot 2015-01-23 at 9.08.24 AM.png



  • 4.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:11 AM

    Your login page only has an IP.  It needs the full URL to the page.  For example:  https://10.11.0.32/guest/logon.php



  • 5.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:17 AM

    Sorry, I had changed it at the advice of one of the boards. 

     

    I have it changed back with the same error.

     

    Screen Shot 2015-01-23 at 9.15.26 AM.png



  • 6.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:09 AM
    @drjogwa wrote:

    The first is that I get a "too many redirect" errors from browsers so they can't get to the portal. 

     

    Make sure you are allowing svc-http or svc-https to ClearPass in your logon role so that the captiveportal redirect ACLs don't capture that request.

     

    For example:

     

    netdestination CLEARPASS-SERVERS

      host x.x.x.x

     

    ip access-list session ALLOW-CPPM
      user   alias CLEARPASS-SERVERS svc-http  permit
      user   alias CLEARPASS-SERVERS svc-https  permit

     

    user-role  CPPM-LOGON

      access-list ALLOW-CPPM

      access-list logon-control

      access-list captiveportal

     



  • 7.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:13 AM

    I have it setup this way.  I can connect directly to the https://10.11.0.32/guest/guest_register.login.php and it will load and work.  It just doesn't seem to redirect other sites to the login page.



  • 8.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:22 AM

    Does the controller have an IP Address on the VLAN that the guests are on?  This is required for captive portal redirects to work.

     

    Also, what happens when you try to browse to http://1.1.1.1?   If this redirects properly, then you are looking at a possible DNS issue.

     

     



  • 9.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:40 AM

    Yes, I do have an address on the controller in the same vlan as the guests.

     

    If I browse to http://1.1.1.1 I get the same error.  If I browse to https://1.1.1.1 I get the certificate for securelogin.arubanetworks.com and if I accept it, then I get the same error.



  • 10.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:48 AM
    Make sure the Radius Shared Key matches on both sides


  • 11.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:04 PM

    I have updated the radius keys on both sides and I'm still having the same issue.



  • 12.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 11:48 AM

    Can you show us the following for the role your clients are in when this happens:

     

    show rights <name-of-role>



  • 13.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:07 PM

    (Aruba7210-US) #show rights ClearPassLogin

    Derived Role = 'ClearPassLogin'
     Up BW:No Limit   Down BW:No Limit  
     L2TP Pool = default-l2tp-pool
     PPTP Pool = default-pptp-pool
     Periodic reauthentication: Disabled
     ACL Number = 62/0
     Max Sessions = 65535

     Captive Portal profile = 10.11.0.32

    access-list List
    ----------------
    Position  Name             Type     Location
    --------  ----             ----     --------
    1         ClearPass-Login  session  
    2         logon-control    session  
    3         captiveportal    session  

    ClearPass-Login
    ---------------
    Priority  Source  Destination  Service    Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------    ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    10.11.0.32   svc-http   permit                           Low                                                           4
    2         user    10.11.0.32   svc-https  permit                           Low                                                           4
    logon-control
    -------------
    Priority  Source  Destination              Service   Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------              -------   ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    any                      udp 68    deny                             Low                                                           4
    2         any     any                      svc-icmp  permit                           Low                                                           4
    3         any     any                      svc-dns   permit                           Low                                                           4
    4         any     any                      svc-dhcp  permit                           Low                                                           4
    5         any     any                      svc-natt  permit                           Low                                                           4
    6         any     169.254.0.0 255.255.0.0  any       deny                             Low                                                           4
    7         any     240.0.0.0 240.0.0.0      any       deny                             Low                                                           4
    captiveportal
    -------------                                     
    Priority  Source  Destination  Service          Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
    --------  ------  -----------  -------          ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
    1         user    controller   svc-https        dst-nat 8081                           Low                                                           4
    2         user    any          svc-http         dst-nat 8080                           Low                                                           4
    3         user    any          svc-https        dst-nat 8081                           Low                                                           4
    4         user    any          svc-http-proxy1  dst-nat 8088                           Low                                                           4
    5         user    any          svc-http-proxy2  dst-nat 8088                           Low                                                           4
    6         user    any          svc-http-proxy3  dst-nat 8088                           Low                                                           4

    Expired Policies (due to time constraints) = 0



  • 14.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:14 PM
    Do you have mac caching turned on by any chance ?

    What do you see in access tracker ? Do you see any REJECTs ?


  • 15.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:31 PM
    @victorfabian wrote:
    Do you have mac caching turned on by any chance ?

    I'm not sure, where do I go or how do I check that?

     

    @victorfabian wrote:

    What do you see in access tracker ? Do you see any REJECTs ?

    I do see some REJECTS, The time stamps don't seem to coralate with all my login attempts (a lot less rejects than attemps), but the user name shows as my MAC address and the error is user not found. 



  • 16.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:52 PM
    Can you please shared the summary and input tab from access tracker?

    And also share the Enforcement policy for the Mac auth service and Mac caching service


  • 17.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 01:10 PM

    Screen Shot 2015-01-23 at 11.07.29 AM.png

    Screen Shot 2015-01-23 at 11.07.39 AM.png

     

    Screen Shot 2015-01-23 at 11.08.04 AM.png

     

    Screen Shot 2015-01-23 at 11.08.19 AM.png



  • 18.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 01:15 PM

    Please delete the mac address of the endpoint repository and then try again, if this helps you may want to increase the number of unique devices allow

     

    2015-01-23 13_13_16-ClearPass Policy Manager - Aruba Networks.png



  • 19.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 03:11 PM

    Hi I deleted the mac endpoint.  No change in results.

     

    It seems like it is not related to the portal login.  If I connect the wireless and don't go anywhere I still get a rejected alert.



  • 20.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 01:54 PM

    Just check here once, whether you are getting an error or not...

     

     

    Image 22.jpg

     

     

    #if you found my post helpfull give me kudos

    SumaN

     



  • 21.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 03:13 PM

    I do not see any Radius errors.Screen Shot 2015-01-23 at 12.38.22 PM.png



  • 22.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 24, 2015 12:07 AM

    Can you check like this...

     

    Filter:: category  >  contains  >  auth

     

     

     

    Image 1.jpg

     

     

    #if found my post useful give me kudos.

     

    SumaN



  • 23.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 28, 2015 03:57 PM

    you didn't provide the actual screenshot of the alert tab for the REJECT, that is the most useful one.

     

    as for the too many redirects. try with a tool like F12 in IE or developer tools in FF / chrome to see what exactly redirects you and to where.



  • 24.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 03:15 PM

    I found that I only get a REJECT to appear in the access tracker when I connect to the wireless not use the portal.



  • 25.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:14 PM

    With this setup, you are having two issues?

    1) too many redirects

    2) access denied

     

    For 1:

    - Is this happening across browser types?

    - Run show datapath session table | include <IP-of-user> at the time of the redirects to capture what is happening

     

    For 2:

    - What does Access Tracker give for an error when Access Denied is seen?

     

    On your guest configuration page under NAS Login:

    - Do you have Enable guest login to a NAS checked?

    - Did you specify Aruba Networks as the vendor under NAS login?  

    - Did you alter the IP address field?   It should be left at securelogin.arubanetworks.com

     

     



  • 26.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:28 PM
    In addition to the suggestion made by clembo .

    Can you also run the following command:
    show ip radius nas-ip
    show ip radius source-interface



  • 27.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:41 PM
    @victorfabian wrote:
    In addition to the suggestion made by clembo .

    Can you also run the following command:
    show ip radius nas-ip
    show ip radius source-interface

    (Aruba7210-US) #show ip radius nas-ip

     

    RADIUS client NAS IP address = 10.11.0.31
    RADIUS client NAS IPv6 address = ::1

     

     

    (Aruba7210-US) #show ip radius source-interface

     

    Global radius client source IP address = 0.0.0.0, vlan 0
    Global radius client source IPv6 address = ::, vlan 0
    Per-server client source IPv4/6 addresses:



  • 28.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:40 PM
    @clembo wrote:

    With this setup, you are having two issues?

    1) too many redirects

    2) access denied

     

    Yes that is correct these are the two issues I have

     

    @clembo wrote:

     

    For 2:

    - What does Access Tracker give for an error when Access Denied is seen?

     

    On your guest configuration page under NAS Login:

    - Do you have Enable guest login to a NAS checked?

    - Did you specify Aruba Networks as the vendor under NAS login?  

    - Did you alter the IP address field?   It should be left at securelogin.arubanetworks.com

     

     

    Yes, "Enable guest login to a NAS" is checked

    Yes, "Aruba Networks" is set as the vendor

    No, I left that field set as securelogin.arubanetworks.com

     

     

    @clembo wrote:

     

    For 1:

    - Is this happening across browser types?

    - Run show datapath session table | include <IP-of-user> at the time of the redirects to capture what is happening

     

    This is pretty jumbled, is there a better way to post it?

     

    (Aruba7210-US) #show datapath session table | include 10.11.254.122
    10.11.0.31 10.11.254.122 17 53 12164 0/0 0 0 1 0/0/0 11 0 0 FI
    10.11.0.31 10.11.254.122 6 8080 43106 0/0 0 0 0 0/0/0 1 5 529 F
    10.11.0.31 10.11.254.122 6 8080 43108 0/0 0 0 0 0/0/0 1 5 529 F
    10.11.0.31 10.11.254.122 6 8080 43112 0/0 0 0 0 0/0/0 1 5 529 F
    10.11.0.31 10.11.254.122 6 8080 43118 0/0 0 0 0 0/0/0 1 5 529 F
    10.11.0.31 10.11.254.122 6 8081 49470 0/0 0 0 0 0/0/0 5 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49464 0/0 0 0 0 0/0/0 5 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49460 0/0 0 0 0 0/0/0 5 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49458 0/0 0 0 0 0/0/0 7 6 726 F
    10.11.0.31 10.11.254.122 6 8080 43120 0/0 0 0 0 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8080 43126 0/0 0 0 0 0/0/0 1 5 529 F
    10.11.0.31 10.11.254.122 6 8081 49473 0/0 0 0 0 0/0/0 6 7 778 F
    10.11.0.31 10.11.254.122 6 8081 57877 0/0 0 0 1 0/0/0 a 0 0 F
    10.11.254.122 10.11.0.31 17 50961 53 0/0 0 0 1 0/0/0 e 0 0 FCI
    10.11.254.122 10.11.0.31 6 43120 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43119 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43109 8080 0/0 0 0 0 0/0/0 2 6 518 FC
    10.11.254.122 10.11.0.31 6 43121 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43118 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43108 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43111 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43117 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43122 8080 0/0 0 0 0 0/0/0 2 6 518 FC
    10.11.254.122 10.11.0.31 6 43110 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43116 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43123 8080 0/0 0 0 0 0/0/0 2 6 518 FC
    10.11.254.122 10.11.0.31 6 43114 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43125 8080 0/0 0 0 0 0/0/0 1 6 518 FC
    10.11.254.122 10.11.0.31 6 43115 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43124 8080 0/0 0 0 0 0/0/0 1 5 466 FC
    10.11.254.122 10.11.0.31 17 12164 53 0/0 0 0 1 0/0/0 12 0 0 FCI
    10.11.254.122 10.11.0.31 6 43106 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43112 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43107 8080 0/0 0 0 0 0/0/0 2 5 466 FC
    10.11.254.122 10.11.0.31 6 43126 8080 0/0 0 0 0 0/0/0 1 5 466 FC
    10.11.254.122 10.11.0.31 6 43113 8080 0/0 0 0 0 0/0/0 2 6 518 FC
    10.11.0.31 10.11.254.122 17 53 29803 0/0 0 0 1 0/0/0 a 0 0 FI
    10.11.254.122 10.11.0.31 6 57872 8081 0/0 0 0 1 0/0/0 12 0 0 FC
    10.11.0.31 10.11.254.122 17 53 50961 0/0 0 0 1 0/0/0 e 0 0 FI
    10.11.254.122 10.11.0.31 6 57873 8081 0/0 0 0 1 0/0/0 12 0 0 FC
    10.11.254.122 10.11.0.31 6 57877 8081 0/0 0 0 1 0/0/0 a 0 0 FC
    10.11.0.31 10.11.254.122 6 8081 49471 0/0 0 0 1 0/0/0 6 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49465 0/0 0 0 1 0/0/0 6 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49461 0/0 0 0 1 0/0/0 6 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49459 0/0 0 0 1 0/0/0 6 7 778 F
    10.11.0.31 10.11.254.122 6 8080 43121 0/0 0 0 0 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8081 49472 0/0 0 0 1 0/0/0 6 6 726 F
    10.11.0.31 10.11.254.122 6 8080 43107 0/0 0 0 1 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8080 43109 0/0 0 0 1 0/0/0 2 4 477 F
    10.11.0.31 10.11.254.122 6 8080 43113 0/0 0 0 1 0/0/0 2 4 477 F
    10.11.0.31 10.11.254.122 6 8080 43119 0/0 0 0 1 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8081 49453 0/0 0 0 1 0/0/0 7 9 4303 F
    10.11.0.31 10.11.254.122 6 8080 43111 0/0 0 0 0 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8080 43115 0/0 0 0 0 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8080 43117 0/0 0 0 0 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8081 49455 0/0 0 0 0 0/0/0 7 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49469 0/0 0 0 0 0/0/0 6 6 726 F
    10.11.0.31 10.11.254.122 6 8081 49467 0/0 0 0 0 0/0/0 6 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49463 0/0 0 0 0 0/0/0 6 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49457 0/0 0 0 0 0/0/0 7 7 778 F
    10.11.0.31 10.11.254.122 6 8080 43123 0/0 0 0 0 0/0/0 2 4 477 F
    10.11.0.31 10.11.254.122 6 8080 43125 0/0 0 0 0 0/0/0 1 4 477 F
    10.11.0.31 10.11.254.122 6 8081 57872 0/0 0 0 1 0/0/0 12 0 0 F
    10.11.254.122 10.11.0.31 6 49455 8081 0/0 0 0 0 0/0/0 7 8 1490 FC
    10.11.254.122 10.11.0.31 6 49456 8081 0/0 0 0 0 0/0/0 7 8 1490 FC
    10.11.254.122 10.11.0.31 6 49466 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49454 8081 0/0 0 0 0 0/0/0 7 8 1490 FC
    10.11.254.122 10.11.0.31 6 49457 8081 0/0 0 0 0 0/0/0 7 8 1490 FC
    10.11.254.122 10.11.0.31 6 49467 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49464 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49458 8081 0/0 0 0 0 0/0/0 7 9 1542 FC
    10.11.254.122 10.11.0.31 6 49453 8081 0/0 0 0 0 0/0/0 7 12 1783 FC
    10.11.254.122 10.11.0.31 6 49465 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49459 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49461 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49471 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49460 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49470 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49469 8081 0/0 0 0 0 0/0/0 6 9 1542 FC
    10.11.254.122 10.11.0.31 6 49463 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49468 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49462 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.0.31 10.11.254.122 6 8081 57873 0/0 0 0 1 0/0/0 12 0 0 F
    10.11.0.31 10.11.254.122 6 8081 49468 0/0 0 0 0 0/0/0 6 7 778 F
    10.11.254.122 10.11.0.31 17 29803 53 0/0 0 0 0 0/0/0 a 0 0 FCI
    10.11.0.31 10.11.254.122 6 8081 49466 0/0 0 0 0 0/0/0 6 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49462 0/0 0 0 0 0/0/0 6 7 778 F
    10.11.0.31 10.11.254.122 6 8081 49456 0/0 0 0 0 0/0/0 7 7 778 F
    10.11.0.31 10.11.254.122 6 8080 43122 0/0 0 0 0 0/0/0 2 4 477 F
    10.11.0.31 10.11.254.122 6 8080 43124 0/0 0 0 0 0/0/0 1 5 529 F
    10.11.254.122 10.11.0.31 6 49473 8081 0/0 0 0 0 0/0/0 6 8 1490 FC
    10.11.254.122 10.11.0.31 6 49472 8081 0/0 0 0 0 0/0/0 6 9 1542 FC
    10.11.0.31 10.11.254.122 6 8080 43110 0/0 0 0 0 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8080 43114 0/0 0 0 0 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8080 43116 0/0 0 0 0 0/0/0 2 5 529 F
    10.11.0.31 10.11.254.122 6 8081 49454 0/0 0 0 0 0/0/0 7 7 778 F



  • 29.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:47 PM
    @clembo wrote:

    With this setup, you are having two issues?

    1) too many redirects

    2) access denied

    Yes that is correct.

     

    @clembo wrote:

     

    For 2:

    - What does Access Tracker give for an error when Access Denied is seen?

     

    On your guest configuration page under NAS Login:

    - Do you have Enable guest login to a NAS checked?

    - Did you specify Aruba Networks as the vendor under NAS login?  

    - Did you alter the IP address field?   It should be left at securelogin.arubanetworks.com

     

     

    I do see some REJECTS, The time stamps don't seem to coralate with all my login attempts (a lot less rejects than attemps), but the user name shows as my MAC address and the error is user not found. 

     

    Yes, "Enable guest login to a NAS" is checked

    Yes, "Aruba Networks" is set as the vendor

    No, I left the link as securelogin.arubanetworks.com

     

     



  • 30.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied

    Posted Jan 23, 2015 12:48 PM
    @clembo wrote:

     

    For 1:

    - Is this happening across browser types?

    - Run show datapath session table | include <IP-of-user> at the time of the redirects to capture what is happening

     

    This is a little jumbled, so let me know if there is a better way to post it.

     

    (Aruba7210-US) #show datapath session table | include 10.11.254.122
    10.11.0.31      10.11.254.122   17   53    12164  0/0     0 0   1   0/0/0       11   0         0          FI
    10.11.0.31      10.11.254.122   6    8080  43106  0/0     0 0   0   0/0/0       1    5         529        F
    10.11.0.31      10.11.254.122   6    8080  43108  0/0     0 0   0   0/0/0       1    5         529        F
    10.11.0.31      10.11.254.122   6    8080  43112  0/0     0 0   0   0/0/0       1    5         529        F
    10.11.0.31      10.11.254.122   6    8080  43118  0/0     0 0   0   0/0/0       1    5         529        F
    10.11.0.31      10.11.254.122   6    8081  49470  0/0     0 0   0   0/0/0       5    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49464  0/0     0 0   0   0/0/0       5    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49460  0/0     0 0   0   0/0/0       5    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49458  0/0     0 0   0   0/0/0       7    6         726        F
    10.11.0.31      10.11.254.122   6    8080  43120  0/0     0 0   0   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8080  43126  0/0     0 0   0   0/0/0       1    5         529        F
    10.11.0.31      10.11.254.122   6    8081  49473  0/0     0 0   0   0/0/0       6    7         778        F
    10.11.0.31      10.11.254.122   6    8081  57877  0/0     0 0   1   0/0/0       a    0         0          F
    10.11.254.122   10.11.0.31      17   50961 53     0/0     0 0   1   0/0/0       e    0         0          FCI
    10.11.254.122   10.11.0.31      6    43120 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43119 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43109 8080   0/0     0 0   0   0/0/0       2    6         518        FC
    10.11.254.122   10.11.0.31      6    43121 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43118 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43108 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43111 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43117 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43122 8080   0/0     0 0   0   0/0/0       2    6         518        FC
    10.11.254.122   10.11.0.31      6    43110 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43116 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43123 8080   0/0     0 0   0   0/0/0       2    6         518        FC
    10.11.254.122   10.11.0.31      6    43114 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43125 8080   0/0     0 0   0   0/0/0       1    6         518        FC
    10.11.254.122   10.11.0.31      6    43115 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43124 8080   0/0     0 0   0   0/0/0       1    5         466        FC
    10.11.254.122   10.11.0.31      17   12164 53     0/0     0 0   1   0/0/0       12   0         0          FCI
    10.11.254.122   10.11.0.31      6    43106 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43112 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43107 8080   0/0     0 0   0   0/0/0       2    5         466        FC
    10.11.254.122   10.11.0.31      6    43126 8080   0/0     0 0   0   0/0/0       1    5         466        FC
    10.11.254.122   10.11.0.31      6    43113 8080   0/0     0 0   0   0/0/0       2    6         518        FC
    10.11.0.31      10.11.254.122   17   53    29803  0/0     0 0   1   0/0/0       a    0         0          FI
    10.11.254.122   10.11.0.31      6    57872 8081   0/0     0 0   1   0/0/0       12   0         0          FC
    10.11.0.31      10.11.254.122   17   53    50961  0/0     0 0   1   0/0/0       e    0         0          FI
    10.11.254.122   10.11.0.31      6    57873 8081   0/0     0 0   1   0/0/0       12   0         0          FC
    10.11.254.122   10.11.0.31      6    57877 8081   0/0     0 0   1   0/0/0       a    0         0          FC
    10.11.0.31      10.11.254.122   6    8081  49471  0/0     0 0   1   0/0/0       6    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49465  0/0     0 0   1   0/0/0       6    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49461  0/0     0 0   1   0/0/0       6    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49459  0/0     0 0   1   0/0/0       6    7         778        F
    10.11.0.31      10.11.254.122   6    8080  43121  0/0     0 0   0   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8081  49472  0/0     0 0   1   0/0/0       6    6         726        F
    10.11.0.31      10.11.254.122   6    8080  43107  0/0     0 0   1   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8080  43109  0/0     0 0   1   0/0/0       2    4         477        F
    10.11.0.31      10.11.254.122   6    8080  43113  0/0     0 0   1   0/0/0       2    4         477        F
    10.11.0.31      10.11.254.122   6    8080  43119  0/0     0 0   1   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8081  49453  0/0     0 0   1   0/0/0       7    9         4303       F
    10.11.0.31      10.11.254.122   6    8080  43111  0/0     0 0   0   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8080  43115  0/0     0 0   0   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8080  43117  0/0     0 0   0   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8081  49455  0/0     0 0   0   0/0/0       7    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49469  0/0     0 0   0   0/0/0       6    6         726        F
    10.11.0.31      10.11.254.122   6    8081  49467  0/0     0 0   0   0/0/0       6    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49463  0/0     0 0   0   0/0/0       6    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49457  0/0     0 0   0   0/0/0       7    7         778        F
    10.11.0.31      10.11.254.122   6    8080  43123  0/0     0 0   0   0/0/0       2    4         477        F
    10.11.0.31      10.11.254.122   6    8080  43125  0/0     0 0   0   0/0/0       1    4         477        F
    10.11.0.31      10.11.254.122   6    8081  57872  0/0     0 0   1   0/0/0       12   0         0          F
    10.11.254.122   10.11.0.31      6    49455 8081   0/0     0 0   0   0/0/0       7    8         1490       FC
    10.11.254.122   10.11.0.31      6    49456 8081   0/0     0 0   0   0/0/0       7    8         1490       FC
    10.11.254.122   10.11.0.31      6    49466 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49454 8081   0/0     0 0   0   0/0/0       7    8         1490       FC
    10.11.254.122   10.11.0.31      6    49457 8081   0/0     0 0   0   0/0/0       7    8         1490       FC
    10.11.254.122   10.11.0.31      6    49467 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49464 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49458 8081   0/0     0 0   0   0/0/0       7    9         1542       FC
    10.11.254.122   10.11.0.31      6    49453 8081   0/0     0 0   0   0/0/0       7    12        1783       FC
    10.11.254.122   10.11.0.31      6    49465 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49459 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49461 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49471 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49460 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49470 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49469 8081   0/0     0 0   0   0/0/0       6    9         1542       FC
    10.11.254.122   10.11.0.31      6    49463 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49468 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49462 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.0.31      10.11.254.122   6    8081  57873  0/0     0 0   1   0/0/0       12   0         0          F
    10.11.0.31      10.11.254.122   6    8081  49468  0/0     0 0   0   0/0/0       6    7         778        F
    10.11.254.122   10.11.0.31      17   29803 53     0/0     0 0   0   0/0/0       a    0         0          FCI
    10.11.0.31      10.11.254.122   6    8081  49466  0/0     0 0   0   0/0/0       6    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49462  0/0     0 0   0   0/0/0       6    7         778        F
    10.11.0.31      10.11.254.122   6    8081  49456  0/0     0 0   0   0/0/0       7    7         778        F
    10.11.0.31      10.11.254.122   6    8080  43122  0/0     0 0   0   0/0/0       2    4         477        F
    10.11.0.31      10.11.254.122   6    8080  43124  0/0     0 0   0   0/0/0       1    5         529        F
    10.11.254.122   10.11.0.31      6    49473 8081   0/0     0 0   0   0/0/0       6    8         1490       FC
    10.11.254.122   10.11.0.31      6    49472 8081   0/0     0 0   0   0/0/0       6    9         1542       FC
    10.11.0.31      10.11.254.122   6    8080  43110  0/0     0 0   0   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8080  43114  0/0     0 0   0   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8080  43116  0/0     0 0   0   0/0/0       2    5         529        F
    10.11.0.31      10.11.254.122   6    8081  49454  0/0     0 0   0   0/0/0       7    7         778        F



  • 31.  RE: Clearpass guest captive portal, aruba wireless integration, controller access denied
    Best Answer

    Posted Feb 04, 2015 11:58 AM

    Thank you all for your help.  It was much appreciated.

     

    The issue was that guest network was not in a tunneled mode.

     

    For those with the same issues please check the virtual AP profile, for this setting.  It was set to split tunnel which was working for the captive portal to the controller. 

     

    Thank you all again.