Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guest Captive Portal with Multiple Web Login Pages

This thread has been viewed 8 times

  • 1.  Guest Captive Portal with Multiple Web Login Pages

    Posted Oct 13, 2018 01:39 PM

    Hello,

     

     

    I'm currently developing a guest captive portal that redirects to a terms and conditions checkbox to provide anonymous public access login, with an optional hyperlink to an separate web login page with a username/password combination for contractor access (the customer's design). Surprisingly, I couldn't find any examples, or similar forum posts, in my searches, but had assumed this was a simple process of adding in the hyperlink to the header HTML code of the default anonymous Web Login page pointing to the URL of the alternate user/pass Web Login page. To clarify, I've created two separate Web Login pages to accomplish this in Clearpass Guest.

     

    This links work perfectly fine when I test it directly from internal networks, but when I have the customer test onsite from the guest SSID, apparently clicking on the link only cycles back to the original anonymous web login page with an "error connecting" message.

     

    The NAD is an Instant AP.

     

    I'm currently just looking to determine whether this is even possible (I assume it should be), and if I'm missing anything obvious in how to link to the alternate Web Login page. I assume there must be some way for Clearpass to maintain the information of the connecting client and NAD device, so possibly something needs to be included in the HTML (or JS?) to carry over this information between the web login pages?

     

    Cheers!



  • 2.  RE: Guest Captive Portal with Multiple Web Login Pages

    EMPLOYEE
    Posted Oct 14, 2018 08:18 PM

    Are all of the webpages on the ClearPass host, or are they on another external box?



  • 3.  RE: Guest Captive Portal with Multiple Web Login Pages

    Posted Oct 15, 2018 05:44 PM

    All pages are on the Clearpass host. Basically, I've created two "Web Login" pages within Clearpass Guest. One is anonymous auth, and the other is username/password.

     

    The customer wants to first be presented with a Captive Portal that allows public Internet users to simply click a Terms and Conditions button, a submit button, and they are in. But he wants contractors to be able to click on a hyperlink from that original page, that redirects them to a page that asks for a username/password.

    The captive portal redirect to the first anonymous page is working, and clicking the Terms and Conditions checkbox and submitting gets them onto the network exactly as expected. But clicking on the hyperlink to the separate username/password Web Login page simply returns to the same anonymous Web Login page.

    When I test from the "test" button within Clearpass guest Web Login config page, or manually go to the URL, the redirection works fine back and forth between the two.

     

    There is the possibility that something is screwed up client-side, and I've asked him to try a different client, but I was hoping to determine whether this is a supported config in the meantime, and is as simple as injecting an HTML hyperlink between two Clearpass-configured Web Login pages.

     

    Thanks for your prompt assistance!



  • 4.  RE: Guest Captive Portal with Multiple Web Login Pages

    EMPLOYEE
    Posted Oct 16, 2018 08:17 AM

    Yes, it should be as simple as putting the link in.

     

    One think that might be a problem is if your link points to http (without the s), as port 80 traffic is redirected back to the anonymous login page.

     

    What you can/should try as well is to configure a pre-authentication role in your Instant and whitelist the ClearPass IP. Also, did you enable the automatic URL whitelisting in the captive portal config?

     

    If you trace the client actions with the Chrome Developer Tools, you can probably see where the redirect is happening on what request to better understand the issue.



  • 5.  RE: Guest Captive Portal with Multiple Web Login Pages

    Posted Oct 16, 2018 01:49 PM

    Perfect, thanks. That gives me something to start playing with, and I'm sure it's a fairly simple fix.

     

    Cheers



  • 6.  RE: Guest Captive Portal with Multiple Web Login Pages

    EMPLOYEE
    Posted Oct 15, 2018 11:57 AM

    If you change your redirect to the contractor page (or create a new one on a different SSID if you are in production), does the contractor login work then?

     

    What I would do first is to understand the exact flow for the client. So, connect a laptop to the guest SSID and run Chrome or another browser that can record and show all the requests (Ctrl-Shift I on Windows, CMD-Option-I on Mac) then go into the network, click preserve log and follow the whole process. Then you know what redirects are happening, when the client is redirected to your IAP for the actual login, what the response is. 

     

    Do you see the RADIUS request coming into the ClearPass?

    You can check this video on how to use the developer tools and how a proper guest workflow should look like.