Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

IAP + ClearPass Self Registration / Captive Portal

This thread has been viewed 11 times

  • 1.  IAP + ClearPass Self Registration / Captive Portal

    Posted Aug 07, 2019 01:17 AM

    Hello,

    I have a Clearpass server in version 6.8 in use.
    Since this server is not operated at my home, I address it via an external IP address.

    Connected there are two different IAP clusters, which I manage with Central.

    802.1x Authentication works without problems.
    However, the Captive Portal gives me a headache.

    -- The Captive Portal can be integrated into the SSID without any problems.
    -- The Self Registration or Authentication works without problems.
    -- After that I will be redirected to the "Register" or Login page again and again.

     

    I guess this is due to the following settings of the NAS server:

     

    -- I can adjust the NAS server at the normal Capitve Portal as well as at the Self Registration page. Here the login method is adjusted.
    Default is: Controller initialized.
    There is an item "IP address".
    By default it says "securelogin.arubanetworks.com" in it.

    As far as I know there should be the IP or name of the controller that is requesting.

    In my Integration Guide this is not adapted at all.
    Unfortunately I didn't find that much information...

    As I said: the IAP are in the LAN, the CPPM external, but reach each other.

     

    What is the best way to do this ?


    Or is there another possibility, another login method ?

     

    Best Regards

     



  • 2.  RE: IAP + ClearPass Self Registration / Captive Portal
    Best Answer

    Posted Aug 08, 2019 04:50 AM

    I found out a workaround myself.

     

    1. I have configured "dynamic Address" under "Nas Vendor Settings"

    2. Everything else was left to default

     

    Instead of an Guest Application Service, you now need a radius service for the user authentication.

     

    There I set a filter based on SSIDs.

     

    Everything like auth, accounting works fine now.



  • 3.  RE: IAP + ClearPass Self Registration / Captive Portal

    Posted Nov 21, 2019 05:14 AM

    Hi,

    you are talking about a NAS server, do you mean the clearpass ?

    I don't know where to find the point -> dynamic Address" under "Nas Vendor Settings"

    Can you please assist ? rI am a rooky in clearpass

    Thank you



  • 4.  RE: IAP + ClearPass Self Registration / Captive Portal

    Posted Nov 21, 2019 05:32 AM

    Hi,

     

    you will find it here:

     

    ClearPass Guest --> Config --> Pages --> Self-Registrations 

    --> <your Site> --> Edit 

     

    In the right Corner --> "NAS Vendor Settings"

    nas.JPG

     

    To be honest, in the meantime I had a better experience with using named certificates on the instant cluster.

     

    One other possibility is, to use an already existing wildcard.

    If you use an existing wildcard you need:

    -- Wildcard cert (only DV, no EV)

    -- An DNS Alias

     

    In Clearpass you will configure these DNS Alias: 

    captiveportal-login.yourdomain.com

     

    The Controller/Virtual Controller will listen so this default name (captiveportal-login) and hijack the Client Request :)

     

    Regards