Security

last person joined: 16 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

NAS Logon from self registration fails but separate login pages work fine with same user

This thread has been viewed 10 times

  • 1.  NAS Logon from self registration fails but separate login pages work fine with same user

    Posted Aug 26, 2016 04:02 AM

    HI All, hoping someone can help me with a weird issue i've been troubleshooting today.

     

    New ClearPass Guest install (6.5.6) tied to Aruba 7005 (6.4.x). Terminating IAP GRE tunnels onto controlller and then doing wired AAA against the VLAN to enforce captive portal for tunneled guest users. 

     

    Have a self registration workflow up and running which is configured for username auth only (the register and receipt forms modfied accordingly)

     

    Controller running a wildcard cert so all redirects from ClearPass are set to captiveportal-login.client.domain. All forms using HTTPS.

     

    When a user gets to receipt page and clicks the login button (After sponsor enabled) browser redirects to captiveportal-login.x.x.x and then redirects back to register page with the following URL guest/register.php?errmsg=Access%20denied&_browser=1

     

    Can't see any radius request in CPPM so i think the controller is rejecting but buggered i can tell why. 

     

    I created a separate login page with username auth and same URL enabled. The user login works fine. 

     

    So it's something about the login button on the self registration receipt page. 

     

    Any pointers? I've spent 2 hours by myself and with TAC today and have run out of ideas. It has to be something small i've missed!

     

    Scott

     



  • 2.  RE: NAS Logon from self registration fails but separate login pages work fine with same user

    EMPLOYEE
    Posted Aug 27, 2016 05:54 AM

     If you have spent 2 hours with TAC today, it could be challenging for us to make progress here with little information.  Did you enable user debugging on the controller to see what could be happening?



  • 3.  RE: NAS Logon from self registration fails but separate login pages work fine with same user

    Posted Aug 27, 2016 11:30 AM
    What happens if you use the default securelogin.arubanetworks.com ?

    Get Outlook for iOS


  • 4.  RE: NAS Logon from self registration fails but separate login pages work fine with same user

    Posted Aug 28, 2016 07:18 PM

    The time spent with TAC was pretty much just reviewing the differences between the login pages and trying to swap out form variables. This didn't seem to go anywhere and i had to end the session due to my outage window closing.

     

    The user debug on the controller didn't show anything related to the access deny. Its almost as if there was something about the request that was malformed or that the controller didn't like

     

    Will try again today with HTTPS disabled so i can get some more meaningful packet captures. 

     

    I didn't try the old securelogin URL, both forms were posting to the captiveportal-login url its just that one got a deny so the controller is listening for the correct URL. 

    I rebooted the controller over the weekend during maintenace window and am heading back today to try again. 

     

    I'm hoping it was something buggy on the controller after the server certifcate was changed.



  • 5.  RE: NAS Logon from self registration fails but separate login pages work fine with same user
    Best Answer

    Posted Aug 28, 2016 10:00 PM

    Ok so here's the problem for the benefit of anybody else in this situation. 

     

    Using the SAML tracer plugin for firefox i was able to get a good look inside the HTTP posts going on during the login process (it's a great tool !!) without having to drop HTTPS on the login pages. 

     

    This showed that the username attribute and password were not being passed to the Aruba controller during the POST to captiveportal-login.x.x.x.

     

    The reason for this is that i had removed the username and password fields from the receipt page and the login button requires these values in order to be able to login the user directly. 

     

    Here is the POST to the ClearPass Login Page showing the attributes that are available:

     

    POST https://guest.customer.tld.com/guest/register_receipt.php HTTP/1.1
    Host: guest.customer.tld.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://guest.customer.tld.com/guest/register_receipt.php?refresh=1
    Cookie: GSID=hltl8us7ffbhvm9g4fmm7g3n37
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 305

    HTTP/?.? 200 OK
    Date: Mon, 29 Aug 2016 01:05:33 GMT
    Server: Apache
    X-Powered-By: PHP/5.5.34
    P3P: CP="CAO DSP LAW CUR ADMa DEVa OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE OTC"
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    x-frame-options: SAMEORIGIN
    Set-Cookie: GSID=hltl8us7ffbhvm9g4fmm7g3n37; path=/; secure; HttpOnly
    Keep-Alive: timeout=4, max=500
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8

    POST
    url: http://smh.com.au/
    apgroup:
    apname: tunnel 17
    essid:
    ip: 172.22.210.119
    mac: 28:b2:bd:f2:ab:7f
    cmd: login
    sponsor_email: scott.doorey@customer.tld.com
    visitor_name: scott testing
    email: user@email.com
    start_time: 2016-08-29 11:04
    expire_time: 2016-10-13 12:04:33
    enabled: 1

     

    Here are the details of the POST sent to the Aruba controller:

     

    POST https://captiveportal-login.customer.tld.com/cgi-bin/login HTTP/1.1
    Host: captiveportal-login.customer.tld.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://guest.customer.tld.com/guest/register_receipt.php
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 76

    HTTP/?.? 302 Temporarily Moved
    Date: Mon, 29 Aug 2016 01:05:33 GMT
    Server: Apache
    x-frame-options: SAMEORIGIN
    X-UA-Compatible: IE=edge;IE=11;IE=10;IE=9
    Location: https://guest.customer.tld.com/guest/register.php?errmsg=Access denied
    Content-Length: 0
    Connection: close
    Content-Type: text/html


    POST
    user:
    password:
    cmd: authenticate
    url: http://smh.com.au/
    Login: Log In

     

    Notice no username or password above!

     

     

    Here is what the working form looked like from the separate login page:

     

    OST https://guest.customer.tld.com/guest/guestlogin.php?_browser=1 HTTP/1.1
    Host: guest.customer.tld.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://guest.customer.tld.com/guest/guestlogin.php?_browser=1
    Cookie: GSID=hltl8us7ffbhvm9g4fmm7g3n37
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 219

    HTTP/?.? 200 OK
    Date: Mon, 29 Aug 2016 01:06:12 GMT
    Server: Apache
    X-Powered-By: PHP/5.5.34
    P3P: CP="CAO DSP LAW CUR ADMa DEVa OUR IND PHY ONL UNI PUR COM NAV INT DEM CNT STA PRE OTC"
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    x-frame-options: SAMEORIGIN
    Set-Cookie: GSID=hltl8us7ffbhvm9g4fmm7g3n37; path=/; secure; HttpOnly
    Keep-Alive: timeout=4, max=500
    Connection: Keep-Alive
    Transfer-Encoding: chunked
    Content-Type: text/html; charset=UTF-8


    GET
    _browser: 1
    POST
    errmsg: Access denied
    url: http://smh.com.au/
    apgroup:
    apname: tunnel 17
    essid:
    ip: 172.22.210.119
    mac: 28:b2:bd:f2:ab:7f
    cmd: login
    no_login:
    user: user@email.com
    password:
    visitor_accept_terms: 1

     

     

    here the username is define, not just the email address. This is because the form asked for the username attribute. Username auth was configured on the page so no password is shown. 

     

     

    here is the successful post to the controller for the same user using the separate web login page:

     

    POST https://captiveportal-login.customer.tld.com/cgi-bin/login HTTP/1.1
    Host: captiveportal-login.customer.tld.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://guest.customer.tld.com/guest/guestlogin.php?_browser=1
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 107

    HTTP/?.? 200 OK
    Date: Mon, 29 Aug 2016 01:06:12 GMT
    Server: Apache
    x-frame-options: SAMEORIGIN
    X-UA-Compatible: IE=edge;IE=11;IE=10;IE=9
    Connection: close
    Transfer-Encoding: chunked
    Content-Type: text/html

     

    POST
    user: user@email.com
    password: 039180
    cmd: authenticate
    url: http://smh.com.au/
    Login: Log In

     

    Here you can see the username and password int he post to the controller. 

     

    What i had to do was enable the password and username fields on the receipt page (even though i didnt' want them displayed) and then everything worked fine!!

     

    Hope this saves someone hours of head banging!!

     

    Scott



  • 6.  RE: NAS Logon from self registration fails but separate login pages work fine with same user

    Posted Feb 23, 2021 03:13 PM
    Hi scott.
    I'm having the same issue even with the username and password active in receipt form.

    Any clue of what else could it be?

    ------------------------------
    Gonzalo Lopez
    ------------------------------

    Original Message


  • 7.  RE: NAS Logon from self registration fails but separate login pages work fine with same user

    EMPLOYEE
    Posted Feb 24, 2021 04:24 AM
    This is an old post that is about a different problem. Please open a new one, and share what you configured and what you see in Access Tracker.

    To be honest, I think if you can find someone to have a look at your deployment, your Aruba Partner or Aruba TAC, that will probably be the fastest path to a solution. This is a matter of understanding the steps in the process and check where it is broken.

    One thing you should do before having a further look is to make sure that you have public trusted certificates on your ClearPass and on your controller/APs. If you see any untrusted pages or need to click through certificate warnings, there is a good chance that your issue lies in there.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------

    Original Message