Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Instant & CPPM - CPGuest Portal not sending radius request to CPPM

This thread has been viewed 1 times

  • 1.  Instant & CPPM - CPGuest Portal not sending radius request to CPPM

    Posted Mar 27, 2019 09:29 AM

    Hello there,

     

    I am facing a strange issue since I changed the certificates on my Instant VC and my CPG portal.

     

    All was working before.

     

    When a user is registered and enabled from SR portal, he is getting a register loop.

     

    On CPPM, there isn't log in the Access Tracker.

     

    I am using :

    - Self Registration portal from CP Guest

    - User authentication with mac caching policies on CPPM

    - Instant VC running 6.5.4.12 with 205 and 305 IAPs

     

    Here's my Instant configuration :

     

    name ctl.portail-guest.com
dynamic-radius-proxy

mas-integration
extended-ssid



wlan access-rule Guests
 index 5
 rule 10.33.10.230 255.255.255.255 match any any any permit
 rule 10.33.0.0 255.255.0.0 match any any any deny
 rule any any match any any any permit

wlan access-rule role_preauth_guest
 index 7
  captive-portal external profile www.portail-guest.com
 rule 10.33.10.230 255.255.255.255 match tcp 443 443 permit
 rule 10.33.10.230 255.255.255.255 match tcp 80 80 permit
 rule 8.8.8.8 255.255.255.255 match udp 53 53 permit
 rule 8.8.4.4 255.255.255.255 match udp 53 53 permit
 rule alias www.portail-guest.com match tcp 80 80 permit
 rule alias www.portail-guest.com match tcp 443 443 permit
 rule alias ctl.portail-guest.com match tcp 443 443 permit
 rule alias ctl.portail-guest.com match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 80 80 permit
 rule masterip 0.0.0.0 match tcp 443 443 permit
 rule apnetwork 0.0.0.0 match tcp 80 80 permit
 rule apnetwork 0.0.0.0 match tcp 443 443 permit
 rule any any match any any any deny



wlan ssid-profile Guests
 enable
 index 3
 type guest
 essid Guests
 opmode opensystem
 max-authentication-failures 0
 vlan 60
 auth-server CPPM
 set-role-pre-auth role_preauth_guest
 rf-band all
 captive-portal external profile www.portail-guest.com
 dtim-period 1
 broadcast-filter arp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64


wlan auth-server CPPM
 ip 10.33.10.230
 port 1812
 acctport 1813
 timeout 30
 key a14b790a22d3b7fe53b6bdc8b06e8979dd305b0cf5bd3855
 nas-ip 10.200.0.230
 nas-id ctl.portail-guest.com
 rfc3576
 cppm-rfc3576-port 5999
 service-type-framed-user 1x
 service-type-framed-user cp



wlan external-captive-portal www.portail-guest.com
 server www.portail-guest.com
 port 80
 url "/guest/inscription_guest.php"
 auth-text ""
 redirect-url "http://www.google.fr"
 auto-whitelist-disable

    Any ideas why my VC is not sending Radius auth request when my client device is redirected after successful registering?

    And I don't understand why it has stoped running after changing SSL certificates...

     

    Many thanks



  • 2.  RE: Instant & CPPM - CPGuest Portal not sending radius request to CPPM

    EMPLOYEE
    Posted Mar 27, 2019 02:08 PM

    Hello,

     

    Did you change just the certificate or the hostname too of the controller?

    I would check few things below first:

    1. Is the client able to resolve the hostname of the controller? Nslookup etc.

    2. When you enter the credentails and click on login on the client, what is the url that it trying to post the credentials to?

    3. pcap from the client machine, would show, if the client is able to post the credentials or not, and failing?

    4. If the client is not able to post the credentails and failing, we need to look at the acl's.

     

    you mentioned it was working before and stopped working after you updating the certificate? did the CN name changed on the certificate? if yes, we need to update the CN name on the Clearpass Guest configuration, under NAS vendor settings.

     

    --

     



  • 3.  RE: Instant & CPPM - CPGuest Portal not sending radius request to CPPM
    Best Answer

    Posted Mar 28, 2019 09:42 AM
    Many thanks for sharing your findings.

    I finallly resolved the issue :

    I changed the previous signed SSL certificate with a wildcard certificate.
    I needed to change the CN name on the Guest NAS vendor settings to captiveportal-login.mydomain.com.

    All is working fine now.

    I am a little bit confused about certificate configuration with Instant APs... Is there any guide mentioning certificate import and wildcard certificate specific process ?


  • 4.  RE: Instant & CPPM - CPGuest Portal not sending radius request to CPPM

    EMPLOYEE
    Posted Mar 28, 2019 02:32 PM

    Hello Jeremy,

     

    Great news, I am glad that i was helpful for you. I would recommend looking at aruba instant user guide and also this article, should also be explaining about installing cert on IAP:

    https://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-Create-a-Certificate-for-Instant-Captive-Portal-using/ta-p/277025

     

     

    --