Security

I was hoping that someone could look over what I've done and suggest ways to make it better... or explain how I'm actually re-inventing the wheel and could have done it in fewer steps.

 

We have a single SSID, call it 'guest', (and we only want to use single SSID for this sort of thing).

 

What I want, though, is multiple captive portals accessible from this one SSID for, say, multiple simultaneous conferences in different locations.

 

I could have a 'menu' web page as the captive portal page with links to each conference CP but that requires users to know which conference they're at and I don't want to assume that level of cognitive ability.

 

So, I put together a configuration in Clearpass (my first as it happens) which does this:

 

1. Controller is configured with a logon role which does MAC authentication to Clearpass CPPM.

2. The associated Clearpass Service is 'Allow all MAC AUTH' and acts as a way of obtaining information such as 'AP Name' from the RADIUS request. 

3. The Enforcement Policy for this Service says something like "if the Connection:AP-Name

begins with AP-CONF1 then use Enforcement profile 'Conf1 Captive Portal' or 'if the Connection:AP-Name begins with AP-CONF2 then use Enforcement profile 'Conf2 Captive Portal'.

4. The 'ConfX Captive Portal' profiles send back the RADIUS attribute Aruba-User-Role with the value of 'confX-captive-portal-logon', where X represents a conference.

5. On the controller are matching user roles with L3 Captive Portal authentication profiles of 'Conf1', 'Conf2' etc. etc.

6. These Captive Portal profiles each have a Login Page URL entry corresponding to a Web Login page on Clearpass Guest. 

7. Each Web Login page is specific to a particular conference.

 

Thus, when a client connects Clearpass spots the AP Name and sends back a user role which corresponds to the conference being held using those AP. (In this example the APs are named for their buildings and we only have one conference at a time per building.) Then the client's web request is redirected to the captive portal for that conference.

 

The approach is a bit simplistic in its logic but for each conference it requires

 

1. An edit to the Enforcement Policy to add/remove the conditions

2. An Enforcement Profile

3. A user Role on the controller

4. An L3 Captive Portal Authentication profile on the controller

5. A Web Login page on Clearpass Guest.

 

Is there a more efficient and elegant way of doing this, preferably that doesn't require steps 3 and 4?  It would be nice if the Enforcement Policy could simply say 'If Name begins XXXX sent back generic-captive-portal-role' and then have a generic-captive-portal-role on the controller which redirects to a generic captive portal URL and that page picks up some saved attribute associated with the MAC AUTH to say 'redirect to the appropriate Web Login'.

 

Mike

 

I've done this in the past. Based on your requirements, that's the best way
to do it.



You can create generic role names and captive portal profiles to make it
easier:



User-role conf-a

Aaa authentication captive-portal conf-a





Makes it easier to track everything.

Thanks for that. Good to know I'm on the right path.

 

Is it likely that a future version of Clearpass will implement a way to support multiple captive portal like this internally, without the need for special controller config?

It really has nothing to do with ClearPass. ClearPass can support thousands of captive portals.

Something that would make your policy a bit more simple would be to leverage AP group names instead of trying to match on individual names.

Also, something you could try on the ClearPass side would be using JavaScript to parse out the AP group from the URL redirect and do a conditional redirect to another page based on that value.

Tim,

 

Do you have an example of a javascript code that works? I've been looking for generic code, but can't find anything reliable. Does Cisco WLC also send AP name in URL redirect? I'm hoping to accomplish this with location-based captive portal based on AP naming.

 

Thanks.

I have the exact same requirement of location based captive portal for Cisco and Aruba WLC. Apparently the Cisco WLC would append the AP mac in the login URL. Could you make it work and can you share the details ?

Create a new generic page that all clients will be redirected to.

Add if then statements to redirect the user to the correct page based on the apgroup URL parameter:

Example:

{if $apgroup == "SJ"}
<meta http-equiv="refresh" content=0;url=https://clearpass.server/guest/sj-reg.php"> 
     {elseif $apgroup == "SF"}
<meta http-equiv="refresh" content="0;url=https://clearpass.server/guest/sf-reg.php"> 
     {else}
<meta http-equiv="refresh" content="0;url=https://clearpass.server/guest/fallback-page.php"> 
{/if}

Hello community,

 

our customer isn't working with ap-groups per location. But the apname always starts with the location. It looks always like this: F4-AP01. I need an operator like "starts with" or maybe an wildcard in the condition to get this running. Will this script work:

{if $apname == "F4-*"}
<meta http-equiv="refresh" content="0;url=https://clearpass.server/guest/sj-reg.php">
{elseif $apname == "R8-*"}
<meta http-equiv="refresh" content="0;url=https://clearpass.server/guest/sf-reg.php">
{else}
<meta http-equiv="refresh" content="0;url=https://clearpass.server/guest/fallback-page.php">
{/if}

Thanks for your help

How did you managed to get the AP Name or AP group appended in the login URL?