Security

Reply
New Contributor

Issues with OWE transition mode and guest captive portal

I have a guest wireless network with a clearpass captive portal, and I'm having various issues with the OWE side of things.

 

With "Enhanced Open" on, my understanding is it turns on Opportunistic Wireless Encryption (OWE), which advertises the RFC8110 functionality for guests to establish bidirectional encryption. The transition mode creates a hidden SSID "_owetm_SSID123456" and tells capable clients to connect to that instead.

 

When this first came up, I was seeing pretty obvious failures in clearpass because the service catagorization wasn't recognizing the SSID.

Initially I tried just turning off "Enhanced Open" on the network, but that actually seemed to completely break the captive portal automatically appearing for anyone now, rather than just the owe clients.

I turned Enhanced Open back on and created a new service in Clearpass, to catagorize the new _owetm_SSID123456 SSID. Regular users are seeing the captive portal again, but OWE clients still are not. Those OWE clients are getting the correct role,VLAN and IP address in both clearpass and the Aruba APs. I had one manually navigate to the captive portal which loaded, when they did the submit action they were correctly redirected to the captiveportal-login.company.com.au - but it showed a 404 failure as if Clearpass had rejected the access request (screen cap attached).

 

I'm at a bit of an impasse in troubleshooting, the captive portal is quite annoying in that it's behaviour isn't consistent with my expectations. I have a Pre-Auth role that has an access rule of "Enforce Captive Portal", and the users are getting assigned that role - but not seeing the portal.

 

Any ideas?

Guru Elite

Re: Issues with OWE transition mode and guest captive portal

There is no difference from CPPM's perspective between the TM BSS and the OWE BSS outside of the VSA value being different. There is no need for a separate service. Either remove the SSID rule from the service, or add the TM SSID using belongs to or regex.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
New Contributor

Re: Issues with OWE transition mode and guest captive portal

I've modified the service to use the "BELONGS_TO" operator and added the second SSID, but I stll have the same issues;

An OWE client is not automaticall redirected to the captive potarl.

And;

Even if the owe client manually navigates to the captive portal URL and submits the form, they get a 404 when their device submits the "https://captiveportal-login.company.com.au/cgi-bin/login" url.

 

Anything else I'm missing?

MVP Guru

Re: Issues with OWE transition mode and guest captive portal

Based on your observation, client not redirected and no proper response for the login URL, it looks like the captive portal role is not properly applied. Can you check in the cases of legacy client and OWE client what the actual role is that is appied for the client (show clients, assuming you are on Instant)? Do you return the Pre-Auth role based on a MAC authentication (for bypass/MAC caching scenario)? Or do you rely on a 'reject' or no MAC authentication?

 

In parallel, can you please open an Aruba support case as well so they can verify what may be going wrong here?

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: