Security

Hi,

 

I´m new in Aruba Clearpass and I´ve a Problem with the Clearpass Radius auth.

 

Ok, the facts:

 I´ve a Aruba Controller 651 with code version 6.2.0.3

CPPM version 6.0.2.23328 and CP Guest with the same version.

 

I installd the CPPM appliance, I configured it like the example in the Aurba Wireless and Clearpass 6 Integration Guide (step by step).

 

When I connect to the Guest SSID, it redirect me to the captive portal. So far so good.

 

I can create a new account at the captive portal (self registration).

 

When I want to Login the messige Auth server timeout comes up.

 

Ok, I checked the shared secred, the NAS IP in CPPM, the Radius in the Controller, it all looks good.

 

On the CPPM under Access Tracker I´ve no Logs about a Login.

 

I don´t know what to do, I think the Radius on the CP Appliance is not working, but I can´t find any Radius logs.

I newly set up the appliance and configured it again, but there is the same problem.

 

Thank you!

Please confirm you have defined your CPPM server group as the group for your active Captive Portal Profile:

 

Authentication --> Layer 3 --> Captive Portal Authentication Profile --> Your Profile --> Server Group

 

Ok, I checked it but I think it is configured right.Taka a look at my screenshot.

 

The problems are still there.

 

 

 

Thanks

 

 

I know you said there is no Access Tracker event.  Confirm there is no error in the Event Viewer regarding the Network Device on CPPM.  If there is a shared secret issue for example, it will show up here; not access tracker.

 

Have you successfully tested auth from the controller using AAA Diagnostics?

Verify the authentication is correct setup by using AAA test on the diagnostic section.

Under CPP Monitoring Event Viewer is no log in event or any wrong login.

 

 

When I using AAA test on the diagnostic section of the controller the same problem.:

 

I don´t know what is wrong.?

 

Your screenshot shows "authentication failed".   If that is accurate, then it means it is talking to the RADIUS server and authentication failed or service categorization failed.   If it said AAA Server Timeout, then it is likely to be a shared secret or connectivity issue (UDP 1812/1813).

 

When you did that AAA test authentication, did you get an event in Access Tracker?

The server to test against is Internal on that screenshot. It should be the server entered in your Clearpass-group.
That aside... I'm thinking there might be an issue with the redirect from the clear pass back to the controller.

When you did that AAA test authentication, did you get an event in Access Tracker?

 

Nothing, the Access Tacker shows nothing.

 

 

 

I don´t understand.

 

 

@solb

? I'm thinking there might be an issue with the redirect from the clear pass back to the controller.?

 

Ok, but what can I do?

 

How can I check this?

Well. First step is to atleast get a succesful authentication from the AAA test server diagnostics. Try self-regiatration and then use that account to authenticate with from AAA test server. If that works, then you might want to double check your services. Make sure there is no value from the default left. Ie. default web auth service has a specific ssid it checks for and no match means it just drops the traffic. Typical issue when you dont see anything in the access tracker is that no service matches the request you have performed. Can you verify that in your web auth service you have either no ssid defined or that it is matched against the name of your ssid? Mvh John Solberg

I don´t get a successful login, the controller diagnistic shows this:

 

If you had the Controller as unknown device - as in not configured Radius properly you still should've gotten a message in the Monitoring » Event Viewer when using "AAA Test server".

 

 

 

 

 

A few more things...

 

Verify network connectivity by pinging between Controller and ClearPass

In the case of a firewall - verify that you have Radius ports opened between Controller and ClearPass (1812/1813)

.

 

My CP in lab is more or less out of the box and I still get events in various logs:

 * If Radius is correctly configured on both Controller and Clearpass you will get a message like this in the Access Tracker log:

Error Code:	204
Error Category:	Authentication failure
Error Message:	Failed to classify request to service

 

 * If Radius is not configured correctly on Clearpass (Controller is an unknown device) you will see this in the Event Viewer:

 

Source	RADIUS
Level	WARN
Category	Authentication
Action	Unknown
Timestamp	Mar 21, 2013 12:58:29 CET
Description	Ignoring request from unknown client 172.168.2.130:32800

 

 

*EDIT:  Looks like jsolb has also pointed this out.

 

1) Connectivity between the controller and ClearPass (UDP 1812 unless you've changed the defaults)

2) Incorrect settings either on the network device in CPPM or the RADIUS server in ArubaOS

 

If #1:  You will not see any events anywhere on CPPM; verify routing and firewall rules between the devices

If #2:  You should see a message in the Event Viewer on CPPM indicating it ignored the request; typically bad shared secret, but could be other issues.

Ok, there is nothing in the CPPM Event Viewer:

 

There is no Firewall between the CPPM and Controller, but one route,

 

when I make a nmap to the CPPM IP the port 1812 and 1813 is no open.

 

Pinging between the CPPM and the Controller works.

I check the route between the Controller and the CPPM.

 

Did you setup CPPM with one or two interfaces/IPs?   Management Port?  Data Port?

 

Can you verify RADIUS is running?   

Administration --> Server Manager --> Server Configuration --> Services Control --> Radius Server

 

 

The radius service is running:

 

Yes, I´ve a Management and a Data Port. On the management port i come to the captive portal. Do I have the wrong interface? is the data int the right one?

Yes, if you have both interfaces configured, the data port is listening on RADIUS.   It is also the port that should be used for web authentication, etc.

 

If you only configure the MGMT port, then all services will be listening on it.

 

Management
Provides access for cluster administration and appliance maintenance via web access, CLI, or internal cluster communications.
Configuration required.

Data
Provides point of contact for RADIUS, TACACS+, Web Authentication and other data-plane requests.  Configuration optional.  If not configured, requests redirected to the  management port.

Ok, thanks.

 

How can I configure the running Appliance only to one Interface? (only the Management Interface)

Can I use the network reset data comand on cli?

 

You can simply remove the IP information from the Data/External port....but be careful if you are using that port/IP for anything today that may break.   I am not positive if it will ask for a restart, or if it will just restart the necessary services.

 

 

Ok, thank you so mutch, what a bad mistake!

 

Now I get a Authentication faild message and in the Access Tracker it shows me this message:

 

 

what is now wrong? The shared secred is right!

Depends on how your service is setup.   There looks to be two issues, one the authentication type is not supported and second the user does not exist in the internal database.    

The user is in the CP guest under Guest -> list Account.

 

What can I check now?

 

It looks like your service that is being matched is looking at the Local User database on ClearPass; not the Guest Users database (which is the same as the CPG List Accounts).    You need to reevaluate the service rule that is being hit for this authentication.   

 

Is this a test from the controller?  or a guest logon?

 

Export your whole Access Tracker event (zip file).

Ok I test the login from Captive Portal and from the Controller. Controller says Authentication failed end Captive Portal says the same.

 

This is a Log from Captive Portal login i attachment:

 

You are matching a service called WLAN Enterprise Service which only supports EAP authentication methods.   The Captive Portal authentication is going to be PAP or MSCHAP depending on how you have it setup.

 

You should have two services setup; one for 802.1X authentication (if you are using this authentication type for employees) and a second for guest/captive portal authentication; each with the appropriate conditions, auth sources, etc.

 

Refer to the integration guide you mentioned in your original post.  The section titled Guest SSID Login service configuration (page 44) goes through the setup.    You may have done this, but be careful on the order of the policies as they are applied top down.   It looks like you have the Enterprise service above the Guest service and it is matching that one.   

 

 

 

 

Ok, now it works!!!!!!  :smileyhappy:

 

Thank you so mutch for your help. I am so thankful !!!!!