Security

Hello,

 

I am still confused with ClearPass and I haven't found an answer in the doc or here. So here is what I would like to do :

 

In ClearPass, I have set up a self-registration (works but don't now about the NAS login, could it be done with ClearPass) and now I need that when connecting to the IAP, the visitor is redirect to this self-registration. I have read about radius, NAS, ... but I am a bit lost.

 

Anyone can give me an overlook of what to do ?

 

Thanks.

 

Dimitri

Never done this with an IAP before, but I would assume it's the same procedure as normal.

 

Are you using CPPM or plain CP Guest (Amigopod)?

 

First add the CPPM server as Radius server in the IAP.

On CPPM create the IAP as a Radius Device (Configuration/Network/Device)

Use the same shared secret and make sure you have the correct ip of the IAP when entering this in CPPM.

 

That should be enough to get the IAP and CPPM talking.

 

Now - edit your self-registration.

Click the NAS Vendor Settings tab

Check for "Enable guest login for a NAS"

• Vendor settings: Aruba Networks
• ip address: the ip of the radius device (IAP)
• Secure login: if you're not using certificates then set this to "Send cleartext ..."
• Save changes..

Think most of the stuph here should still be valid.. Google for Amigopod-AOS-Integration-AppNote.pdf - select the pdf that is hosted on arubanetworks.com.

 

Let me know if this helps you or what you get stuck on and I'll try to elaborate..

Hi,

 

Thanks for this first reponse. I am using plain CP Guest, can I follow your prodecure or is it diffrent from using CCPM ?

 

Thanks again.

 

Dimitri

 

 

Then that document is even more valid.

 

On CP Guest you create the IAP as NAS device under the Radius/NAS List tab.

 

When you try to authenticate with it check the logs under Support/System logs and you should be able to see what IP address the IAP tries to access with..

On CP Guest, I don't find Radius/NAS List tab. The document is totally diffrent of what I am seeing in CP Guest, I can't match the informations.

 

I got ClearPass Guest 6.0.1.22810.

 

Dimitri

Well - then you have cppm with cpguest. Instead of /guest in your URL for admin type /tips. Or just navigate to the IP and you should be redirected to the cppm login.

Ok thanks, so I use your first post procedure ?

 

Dimitri

Yep. Try it and let me know how it goes.

Hi again,

 

Here is where I am now :

 

First add the CPPM server as Radius server in the IAP => ok but do I need to open the ports 1812 and 1813 on my CPPM server ?

On CPPM create the IAP as a Radius Device (Configuration/Network/Device) => ok done and if I have more IAP, do I need to do the same for each or is there an other fast way ?

Use the same shared secret and make sure you have the correct ip of the IAP when entering this in CPPM. => ok

 

That should be enough to get the IAP and CPPM talking => Not working now

 

Now - edit your self-registration.

Click the NAS Vendor Settings tab

Check for "Enable guest login for a NAS"

• Vendor settings: Aruba Networks
• ip address: the ip of the radius device (IAP) => what about if I need to do this with multiple IAP ?
• Secure login: if you're not using certificates then set this to "Send cleartext ..."
• Save changes..

Thanks for your help.

 

Dimitri

Hehe – I see and understand your troubles…

 

=> ok but do I need to open the ports 1812 and 1813 on my CPPM server ?

 

What kind of link do you have? If the CPPM is behind a firewall/NAT device you will have to make sure UDP 1812/1813 and TCP 80/443 are reachable.

The IAP needs Radius access to your CPPM server so those ports needs to be reachable

The clients on the IAP need http/https connection to the CPPM so that too needs to be reachable through the link you have – which is internet?

The CPPM needs a route back to the client through the IAP.

 

=> ok done and if I have more IAP

 

Yes you will add each of them - assuming those IAP’s are on other locations and then not a part of the IAP “cluster”.

 

=> ip address: the ip of the radius device (IAP) => what about if I need to do this with multiple IAP ?

 

Well – in a multiple controller scenario you would click the Dynamic address field “The Controller will send the IP to submit credentials”. Input also which address that are allowed.

How can I check that the IAP and CPPM are talking ? I think the problem is here.

 

Dimitri

Thanks John, it helps me to go further.

 

So I have open the right ports on the firewall. No when I connect to the WLAN, I can see on the address field :

 

https://myCCPMaddress/guest/guest_portal.php?cmd?=login&mac=mymacaddress&essid=TestWifi&ip=myIP&apname=theIAPname&vcname=controllername&switchip=securelogin.arubanetworks.com&url=http://www.google.com

 

But I don't see the login page, only "connexion has been interupted".

 

What is the missing thing ? I think I am close to the end but some problems are still here.

 

Thanks again John.

 

Dimitri

I have found the solution, it was this : unchecked "Require HTTPS for guest access checkbox".

 

Now I can create a new user and log in. But it leads to an other issue. After the login, I went on a webpage with a 1 on the upper left and on the adress bar : http://adressofthevc/cgi-bin/login.

 

What I am doing wrong now ?

 

Thanks

 

Dimitri

When does this happen? 

 

Do you login from a device connected to the SSID on the IAP?

How does the captive portal profile on the controller look like?

 

It happends when I log in to the SSID of the IAP with my laptop for example.

 

How does the captive portal profile on the controller look like? => Where can I check this ?

 

An other little issue (I am logged on the SSID of the IAP) is that when I am typing for example www.google.com, it's added an "https" and get an error in the browser. If I remove the "s" on https, no problem, I can log on normally. Any idea ?

Thanks

Dimitri

About my "after" login problem, I think it's about this : when I look at my connected user in the IAP, his role is : External CP. Is it correct to have this ?

 

Thanks

 

 

Hi Dimitri, I'm creating this myself now just to see how it all connects together. Will get back to you asap :)

Cool :)

 

One more information, when I connect on my IAP as a guest on wifi and go check the alerts on lan, here is what I see :

 

"The AP cannot authenticate this client using 802.1x because the RADIUS server did not respond to the authentication request".

 

Added ----

 

One more question, do I need to configure something else in CCPM ? For example a service ? I think something is missing but I can't find what.

 

Thanks

So..

 

I got this working on my lab.

Now - in my setup there is no firewall between the IAP and the Clearpass so all traffic is allowed between them.

You will need to open traffic on ports TCP 80/443, UPD 1812/1813 and UDP 3799 (for CoA).

 

I'm running software 6.2.0.0-

 

I'll just run through the highlights..

 

On the IAP:

Settings / General /

• Add your VC IP (not the same IP as your IAP has - this is the virtual one.. :))
• Dynamic Radius Proxy = Enabled, this you enable to make sure the radius messages are sendt using the VCIP regardless of which IAP in the VC-cluster that sends the radius message..

 

New Network (or edit existing)

1. WLAN Settings

• Name: instaguest (whatever..)
• Primary usage: Guest

 

2. VLAN

IP assignment: VC assigned (atleast in my scenario)

 

3. Security (what I don't mention leave at default value)

• Splash page type: External - RADIUS server
• Auth server 1: Click NEW or Edit. Make sure the ip address and Share secrets are correct. Might want to Enable RFC3576 for CoA.
• Accounting: Enable (if you need accounting info)
• IP or Hostname: "insert ip of CPPM/CPGUEST"
• URL: /landing.php/register.php (or whatever your registrationpage is)
• Redirect URL: http://www.google.com (or your homepage or just leave empty)

4. Access

When testing just select Unrestricted at first.

One you got it running, adjust the role and access rules as you want.

 

 

On CPPM

Create the IAP as a Radius Device using the VC IP and shared secret as previously entered

• Configuration/Network/Device - Add device..

Now - this next part I'm not able to get as I want. Mobility Controllers send their IP address in the URL as "switchip". This way you can have multiple Controllers using the same login/self-registration by checking the "The controller will send it's IP to submit credentials". This basically redirects the client back to the NAS device to try to login with the credentials supplied.

The IAP however sends "securelogin.arubanetworks.com" with https using the built-in ssl certificate. That might be ok, but it's just different. My IPad didn't complain tho - so it might be ok..

 

On CP Guest

Edit or create a new login/self-registration

NAS login section

• Check "Enable Guest login to NAS"
• IP Address: securelogin.arubanetworks.com
• Secure Login: Vendor default

 

And .. That should be it..

 

 

Thanks for the time taken on this, everthings is configured exactly the same as you have written but I am still blocked after the login. Now I have this page :

 

https://securelogin.arubanetworks.com/cgi-bin/login and a number in the page

 

Any idea ?

What does the system log on the CPPM say? I'm guessing it says "Unable to authenticate - Homeserver says so" I had the same issue, but that was because I had setup an external radius authentication which was checked before the CP local db.

Sorry but where can I find the log ?

 

How to set up this : external radius authentication which was checked before the CP local db ?

 

Thanks.

 

Dimitri

Doubt you have the same issue tho ;) Check the CPPM - Monitoring - Access Tracker and Event Viewer Should be some Radius Reject messages there

On Event Viewer :

 

Source	RADIUS
Level	WARN
Category	Authentication
Action	Unknown
Timestamp	Feb 15, 2013 16:40:35 CET
Description	Ignoring request from unknown client xx.xxx.xx.xxx:xxxxx

That is the typical message you get when the IP address of the radius device is wrong. Does that IP address match the one in your device setup in cppm?

Yes, the VC IP is the same in IAP-105 and in Network-Device in CPPM.

 

Dimitri

Weekend is here for my part, but I can have a new look on Monday.

Have a nice weekend Dimitri!

Thanks have nice weekend too.

 

Dimitri

After the weekend, still the same problem and can't find where is the "bug". Any new idea or something more to check ?

 

Thanks

 

Dimitri

Boxcar,

 

Do you have the ip address in the error setup as a network device in CPPM?

 

 

cjoseph, where is the error setup  in CPPM ? I am not sure of what you talking about.

Thanks

You said you had an error "Ignoring request from unknown client xx.xxx.xx.xxx:xxxxx"

 

Do you have that ip address setup as a network device under Configuration> Network> Devices?

 

No I haven't because it's the ip address of the CPPM and CP Guest server. Should I add it under Configuration> Network> Devices?

Boxcar,

 

Let's start from scratch...

 

You have CPPM 6.x and IAP-105s, right?

 

Do you want to do guest self-registration?

 

 

Ok, it will be better.

 

Right for both questions. I have CCPM 6 and IAP-105. I want to do guest self-registration.

With the help of cjoseph, now everything works fine. So a big thanks to him and others helpers.

So - where was the error?

Error was about a service in CCPM that I didn't configure as attended.

Specifically, the default Guest Access service, which is supposed to process guest requests has a service rule that says Aruba-Essid-Name should equal "Guest SSID Name".  That guest SSID name is the one that you replace with your actual Guest SSID.  

 

That is so that it only processes requests from your Guest SSID and nothing else.  Since the default is "Guest SSID Name", it never saw any of Boxcar's requests, until he changed it to the name of his SSID:

 

Thanks cjoseph! Hate having a loose end in a thread :)

jsolb,

 

BOTH of us don't like loose ends to a thread!

 

Big thanks to Boxcar for his patience!

Big thanks to you both !

 

Boxcar