Security

last person joined: 15 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Process of Captive Portal Authentication with ClearPass Guest

This thread has been viewed 25 times

  • 1.  Process of Captive Portal Authentication with ClearPass Guest

    Posted Apr 02, 2019 11:07 PM

    I read this thread and had a follow up question

     

    https://community.arubanetworks.com/t5/Security/Process-of-Captive-Portal-Authentication-with-ClearPass-Guest/td-p/302804

     

    So step 5 is where I'm confused.  How is the user submitting the credentials to the NAD (Aruba Controller)? The Guest portal is hosted on Clearpass, not the NAD?

     

    Is the NAD intercepting that HTTP Post that the client intends for Clearpass, extracting the credentials and using RADIUS to querty CPPM services?

     

    EDIT: I think this question gets to the root of it, and applies to all web flows.  Is the client establishing an HTTPS connection with the NAD, or ClearPass? Is the NAD somehow acting as a proxy?



  • 2.  RE: Process of Captive Portal Authentication with ClearPass Guest

    EMPLOYEE
    Posted Apr 02, 2019 11:10 PM
    The controller has a DNS hook for the CN of the cert. The login button submits to a predefined path off that FQDN, as defined in the web login config in ClearPass.


  • 3.  RE: Process of Captive Portal Authentication with ClearPass Guest

    Posted Apr 02, 2019 11:13 PM

    Gotcha - I was aware of that hook, but maybe not fully how it worked.  So does that mean the entire HTTPS session is being proxied through the controller, or its just intercepting the credentials? I'm having trouble pulling that part together.



  • 4.  RE: Process of Captive Portal Authentication with ClearPass Guest

    Posted Apr 02, 2019 11:25 PM

    Okay this video solitified it for me - https://www.youtube.com/watch?v=_uO2-RGJ3BM

     

    It looks like, as you said, the login button doesn't post to CPPM it actually posts to the controller.  Super slick.

     

    Seeing it in Chrome, the way he demo'd it was great.

     

    It looks like you would always need to make sure to install a valide certificate onto the controller, correct? It doesn't come with some pre-built valide certificate for capitiveportal-login.... does it?



  • 5.  RE: Process of Captive Portal Authentication with ClearPass Guest

    EMPLOYEE
    Posted Apr 02, 2019 11:26 PM
    No, there's no intercepting of credentials. The browser is literally submitting them to the controller and the controller is spawning a RADIUS request.


  • 6.  RE: Process of Captive Portal Authentication with ClearPass Guest

    Posted Apr 02, 2019 11:30 PM

    You would need a not need a DNS entry for that redirect URL right? Seems like the controller responds for the DNS query with its IP by hijacking that DNS request.

     

    I assume you would need a publically signed certificate (wildcard probably works best for all web portals) for that URL pointing to the Aruba Controller correct?



  • 7.  RE: Process of Captive Portal Authentication with ClearPass Guest
    Best Answer

    EMPLOYEE
    Posted Apr 02, 2019 11:33 PM
    No, it's local to the controller datapath.