Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Help needed. Clearpass and Mobility controller

This thread has been viewed 5 times

  • 1.  Help needed. Clearpass and Mobility controller

    Posted Apr 18, 2019 07:43 AM

    Hi Airheads, 

     

    I'm new here so dont blame me for asking stupid questions. 

     

    I would like to create a WPA2 SSID which then forwards the user to a captive portal where they should accept terms and conditions. 

     

    How should I go about configuring this using mobility controller and clearpass. Any step-by-step guide would be greatly appreciated. 

     

    Best Regards, 



  • 2.  RE: Help needed. Clearpass and Mobility controller

    MVP
    Posted Apr 18, 2019 12:06 PM

    TLDR: do not do it, you will regret it!

     

    Not a step by step but..

     

    on controller, configure dot1x SSID as per usual but change it's default dot1x role to a captive portal role. (If you meant to sat WPA2-PSK, then you would use the initial role.)

     

    This captive portal role will only be given after 802.1x auth and will then trigger the portal.

     

    On Clearpass side you need 2 services.

    1) basic dot1x service, might want to return the aruba-user-role attribute guest-logon (or whatever captive portal role you use)

    2) basic guest user auth.

     

    Mind you, this realy seems pretty useless as you will be authenticating twice.

    Are you sure you need this?  Guests will bugger you non-stop because they won't trust your radius server. Internal folks will be even worse if forced to do a captive portal auth each and every time.

     

    If you REALY, absolutely, must do this and only after disagreeing 3 times with those forcing this upon you, make sure with step 2 to save something to the endpoint repository and use that next time in service 1 so they don't get your portal every 5 mins thety've been offline.

     

     

     

     



  • 3.  RE: Help needed. Clearpass and Mobility controller

    Posted Apr 22, 2019 02:53 AM
    Thanks for replying.

    I actually did mean wpa2-psk. I agree with radius for guests it would be way too much authentication.

    If we are talking about wpa2-psk could you tell me how should I configure clearpass?

    Honestly I'm finding clearpass to be quite confusing.

    Best Regards,


  • 4.  RE: Help needed. Clearpass and Mobility controller

    Posted Apr 22, 2019 04:09 AM
    Add the controller:
    - create a WPA2 SSID
    - set the initial role to a User role that contains a captive portal url that redirects the User to clearpass

    In Clearpass:
    - create a captive portal page in guest
    - in policy manager create a service that will authenticate the User when login to the captive portal. Use the wizards in clearpass for this

    There is no big difference with an open network or psk network when using a captive portal. The User role is leading


  • 5.  RE: Help needed. Clearpass and Mobility controller

    Posted Apr 22, 2019 08:24 AM

    I'm a little bit stuck on configuring clearpass. 

     

    I have configured captive portal with mac auth. Right now I am having trouble finding how a user role or SSID is linked to a certain captive portal page. 

     

    Best Regards, 

     

    Artur 



  • 6.  RE: Help needed. Clearpass and Mobility controller

    Posted Apr 22, 2019 11:10 AM
    By default the ClearPass guest wizards will reject a device that is unknow. The MC will assign the initial role (configured in the AAA profile) because the of reject. After authentication a different role will be returned.