Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Self-Registration Advanced Editor

This thread has been viewed 6 times

  • 1.  Self-Registration Advanced Editor

    Posted Apr 10, 2019 12:48 PM

    Hello. I am trying to use an Instant AP with ClearPass. I've set up a guest SSID, and I've set it up to use the Captive Portal. Guests can register, have a password assigned, get an email receipt, and use the userid/password. However, I am trying to set up the ability for the Instant AP to send the user to the login page by default so they can enter their new credentials next time they log in.

     

    I figured out that I needed to change the Captive Portal setting in the AP to http://guest/arubalogin.php (which is the default login page name when you click on "Web Logins" in the Guest application. However, that login page appears to be different from the Login page that I get to by clicking "Self-Registrations" --> clicking "Edit" on the registration I am using --> then clicking "Advanced Editor" in the Self-Registration Editor. When I scroll down to the "Login Page" section, I don't see any place where the name of the login page is specified (as I do in the Login Page when I click in "Web Logins".

     

    As a result, my AP is bringing the guest user to the wrong Web Login page.

     

    What am I missing? What is the difference between these two places to specify the login page and why don't they look the same?



  • 2.  RE: Self-Registration Advanced Editor

    EMPLOYEE
    Posted Apr 11, 2019 10:10 AM

    So when you create a Self-Reg with Register Page XXX it creates:

     

    XXX.php - Registration

    XXX_receipt.php - Receipt

    XXX_login.php - Login

     

    You want the Login one.

     

    General reminder too that when you Launch to see one you will see the URL with '?_browser=1' appended.  You NEVER want that piece in the captive portal redirect URL.  It is used to protect against bots and background checks.



  • 3.  RE: Self-Registration Advanced Editor

    Posted Apr 11, 2019 05:23 PM

    Hello and thank you so much for taking the time to respond.

     

    So you're telling me that I want to use the login page template that is created automatically by creation of a self-registration, corrrect? The only way I can find to get to modifying the parameters on that login page is to used the "Advanced Editor" link in the self-registration workflow. If you have another way, I'd love to know about it.

     

    So as I explained in my OP, when I click on the "Advanced Editor" link, and I scroll down to the "Login Page" section, I don't see any place where the "page name" of the login page is provided ... which is what I want to enter into the Captive Portal url. This is NOT the case if I click on "Pages" and then "Web Logins" and then enter the Web Login Editor.

     

    Now, if you're telling me that I shouldn't be entering the login page into the captive portal for security reasons, that's another matter which I need to consider.


    So if that's the case, can you tell me how I can set up my guest network so that once my guests request their credentials, and receive their credentials ... and then perhaps either log out or go to lunch ... how I can have their first attempt at logging back in after lunch route them to the login screen first instead of to the registration screen (which is where it was going before I placed the login page url in the captive portal url)? I mean, if they already have credentials, I don't want them going to a screen to request credentials again, right?

     

    Let's say for this example that I'm not using MAC Authentication.

     



  • 4.  RE: Self-Registration Advanced Editor

    EMPLOYEE
    Posted Apr 12, 2019 04:25 PM

    If I read correct your starting point is a self-registration.  Assuming that you never need to create anything else for it's full work flow.  When logins are enabled a login page is created.  On the main self-registrations list, when you select yours there will be Launch and Launch Login links (as well as others).  The registration should be self-linking to it and vice-versa down in the footer.  If they are not there you edited them out at some point.  Create a new dummy registration to see them in that case.

     

    The edit area is not obvious on the main registration landing map.  Click Login Message on the far right.  That has all the UI overrides for the login and logging-in pages.

     

    Note you cannot rename the login page.  It is dynamic and relative to your base page name per the pattern above.



  • 5.  RE: Self-Registration Advanced Editor

    Posted Apr 15, 2019 04:08 PM

    Thank you once again.

     

    Even with a freshly created test self-registration, when I edit the self-registration and click on the "Login Page" or "Login Message" links, there is nowhere to override certain parameters on the Login Page, as there is if one goes directly to "Web Logins" Examples: Login Page Skin, Default Destination/Default URL, and the "Override Destination" checkbox.

     

    Again, what I'm trying to do is to modify a specific self-registration login page for one of my guest networks so that it doesn't require the user to go back through self-registration once they've been assigned credentials ... I'm trying to cause those users to be routed directly to the login screen.

     

    Many thanks again in advance.



  • 6.  RE: Self-Registration Advanced Editor

    Posted Apr 16, 2019 07:46 AM
    It's not possible to redirect the user to the login page if there is already an account created. With MAC auth I see some possibilities but without MAC auth not.

    You can simply add a URL in the landing page which will redirect the user to the login page.

    So the workflow:
    User connect to the network
    Will be redirected to the registration page and after registration the user can login

    Returning user:
    User connect to the network
    Will be redirected to the registration page and can hit the "already have an account" URL to login with the account that already exist


  • 7.  RE: Self-Registration Advanced Editor

    EMPLOYEE
    Posted Apr 16, 2019 09:34 AM

    A self-registration can only be set with a single skin.  The login cannot have it's own.

    The destination URL config is under the NAS Vendor Settings.

     

    In the Footer HTML of your registration page put:

    {dump var=$_endpoint export=html} 

     

    It will use the passed mac address to pull up what we know about the device.  Self-reg and web logins have a config 'Mark the user’s MAC address as a known endpoint', if you set that then you can pretty safely do what you want.

     

    {if $_endpoint.status == 'Known'}

    {literal}
    <script type="text/javascript">
    setTimeout(function () {
    location.href = {nwa_quotejs}{$gsr_metadata.register_page|rawurlencode}_login.php{/nwa_quotejs};
    }, 0 * 1000);
    </script>
    {/literal}

    {/if}

     

     



  • 8.  RE: Self-Registration Advanced Editor

    Posted Apr 16, 2019 01:03 PM

    Thanks to both of you. William, that's the way I have it working now ... I just thought guest users would find it an annoyance to have to "stop" at the registration page and click to login when they already have credentials. I guess you're saying I should add MAC Caching capability and it can be set up so the user logs in directly. I will try that. Thank you again.