Security

Reply
Highlighted
Regular Contributor I

Re: IAP 105 and ClearPass self-registration

How can I check that the IAP and CPPM are talking ? I think the problem is here.

 

Dimitri

Highlighted
Regular Contributor I

Re: IAP 105 and ClearPass self-registration

Thanks John, it helps me to go further.

 

So I have open the right ports on the firewall. No when I connect to the WLAN, I can see on the address field :

 

https://myCCPMaddress/guest/guest_portal.php?cmd?=login&mac=mymacaddress&essid=TestWifi&ip=myIP&apname=theIAPname&vcname=controllername&switchip=securelogin.arubanetworks.com&url=http://www.google.com

 

But I don't see the login page, only "connexion has been interupted".

 

What is the missing thing ? I think I am close to the end but some problems are still here.

 

Thanks again John.

 

Dimitri

Highlighted
Regular Contributor I

Re: IAP 105 and ClearPass self-registration

I have found the solution, it was this : unchecked "Require HTTPS for guest access checkbox".

 

Now I can create a new user and log in. But it leads to an other issue. After the login, I went on a webpage with a 1 on the upper left and on the adress bar : http://adressofthevc/cgi-bin/login.

 

What I am doing wrong now ?

 

Thanks

 

Dimitri

Highlighted
MVP

Re: IAP 105 and ClearPass self-registration

When does this happen? 

 

Do you login from a device connected to the SSID on the IAP?

How does the captive portal profile on the controller look like?

 


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Regular Contributor I

Re: IAP 105 and ClearPass self-registration

It happends when I log in to the SSID of the IAP with my laptop for example.

 

How does the captive portal profile on the controller look like? => Where can I check this ?

 

An other little issue (I am logged on the SSID of the IAP) is that when I am typing for example www.google.com, it's added an "https" and get an error in the browser. If I remove the "s" on https, no problem, I can log on normally. Any idea ?


Thanks


Dimitri

Highlighted
Regular Contributor I

Re: IAP 105 and ClearPass self-registration

About my "after" login problem, I think it's about this : when I look at my connected user in the IAP, his role is : External CP. Is it correct to have this ?

 

Thanks

 

 

Highlighted
MVP

Re: IAP 105 and ClearPass self-registration

Hi Dimitri, I'm creating this myself now just to see how it all connects together. Will get back to you asap :)

Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Regular Contributor I

Re: IAP 105 and ClearPass self-registration

Cool :)

 

One more information, when I connect on my IAP as a guest on wifi and go check the alerts on lan, here is what I see :

 

"The AP cannot authenticate this client using 802.1x because the RADIUS server did not respond to the authentication request".

 

Added ----

 

One more question, do I need to configure something else in CCPM ? For example a service ? I think something is missing but I can't find what.

 

Thanks

Highlighted
MVP

Re: IAP 105 and ClearPass self-registration

So..

 

I got this working on my lab.

Now - in my setup there is no firewall between the IAP and the Clearpass so all traffic is allowed between them.

You will need to open traffic on ports TCP 80/443, UPD 1812/1813 and UDP 3799 (for CoA).

 

I'm running software 6.2.0.0-

 

I'll just run through the highlights..

 

On the IAP:

Settings / General /

  • Add your VC IP (not the same IP as your IAP has - this is the virtual one.. :))
  • Dynamic Radius Proxy = Enabled, this you enable to make sure the radius messages are sendt using the VCIP regardless of which IAP in the VC-cluster that sends the radius message..

 

New Network (or edit existing)

1. WLAN Settings

  • Name: instaguest (whatever..)
  • Primary usage: Guest

 

2. VLAN

IP assignment: VC assigned (atleast in my scenario)

 

3. Security (what I don't mention leave at default value)

  • Splash page type: External - RADIUS server
  • Auth server 1: Click NEW or Edit. Make sure the ip address and Share secrets are correct. Might want to Enable RFC3576 for CoA.
  • Accounting: Enable (if you need accounting info)
  • IP or Hostname: "insert ip of CPPM/CPGUEST"
  • URL: /landing.php/register.php (or whatever your registrationpage is)
  • Redirect URL: http://www.google.com (or your homepage or just leave empty)

4. Access

When testing just select Unrestricted at first.

One you got it running, adjust the role and access rules as you want.

 

 

On CPPM

Create the IAP as a Radius Device using the VC IP and shared secret as previously entered

  • Configuration/Network/Device - Add device..

Now - this next part I'm not able to get as I want. Mobility Controllers send their IP address in the URL as "switchip". This way you can have multiple Controllers using the same login/self-registration by checking the "The controller will send it's IP to submit credentials". This basically redirects the client back to the NAS device to try to login with the credentials supplied.

The IAP however sends "securelogin.arubanetworks.com" with https using the built-in ssl certificate. That might be ok, but it's just different. My IPad didn't complain tho - so it might be ok..

 

On CP Guest

Edit or create a new login/self-registration

NAS login section

  • Check "Enable Guest login to NAS"
  • IP Address: securelogin.arubanetworks.com
  • Secure Login: Vendor default

 

And .. That should be it..

 

 


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Regular Contributor I

Re: IAP 105 and ClearPass self-registration

Thanks for the time taken on this, everthings is configured exactly the same as you have written but I am still blocked after the login. Now I have this page :

 

https://securelogin.arubanetworks.com/cgi-bin/login and a number in the page

 

Any idea ?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: