Security

I'm having an issue with a small number of my users who are unable to complete self-registration and web-login after account creation. My IAP's (214, v6.5) ) are managed with airwave, in a multi-controller deployment, and I use clearpass (6.5) as the Radius server.

After a user has completed the self-registration and the sponsor has approved, they can log-in using the log-in button on the receipt page. Most users are successfully logged in and redirected to the default URL (google).

Occasionally after selecting log-in, a user will recieve a DNS error for securelogin.arubanetworks.com (Address could not be found, which makes them unable to log-in), and some recieve a certificate error (which they can proceed through and successfully log-in). I'm wonding if the cause behind these issues is somewhere in my setup.

The Guest account is properly created and activated. Checking the Access Tracker shows the authentication fails using the MAC Auth service: [Endpoints Repository] - localhost: User not found.
MAC-AUTH: MAC Authentication attempted by unknown client, rejected.

however the device does show in endpoints and updated to known. this happens mostly with outside contractors usign their own laptops.

on CP Guest in my self-registration profile NAS vendor settings, the vendor IP address is set to securelogin.arubanetworks.com (Can't use a VC address as this registration is used on multiple controllers), and on the IAPs the captive portal profile IP is set to clearpass.mydomain.com.

I'm currently using the default certficiate for the CaptivePortal (securelogin). I do plan on changing this to our wildcard cert soon, which leads to an additional question: Where do I need to ensure this cert is imported (just CPPM and Airwave to push to IAPs?), and what would I need to update in NAS vendor settings on CP guest, and captive portal profile on IAP/airwave?

Any assistance is appreciated, Thank you.

Have a look here: https://community.arubanetworks.com/t5/Controller-less-WLANs/ArubaOS-Default-Certificate-Revocation-FAQ-Instant/ta-p/275814

This will explain how to replace the cert, and where it needs to be done.

Once you replace the certificate on the IAP (through airwave) you then need to change your login page in clearpass to redirect to the new hostname in the certificate. If you look at the URL above, the bottom of the page has a link for how to update ClearPass to use the new cert.

As to why some clients fail, and some work, we probably need more information about when this happens. Does it happen always on the same cluster? For a device that fails , does it always fail at all sites, or just fails once, and if they re-try it works? What similar for client that fail? Or is it totally random?

Are all IAPs the same code version? Do they all have the default certificate still? If the DNS doesn't resolve, then usually the IAP has a cert for a different hostname.

As to the clients failing - I've only been able to test this in one cluster, as we have them seperated by geographical locations, and our visitors only come to the administration area. However all our clusters are using the same settings just for now, so I would expect it to be the same at all of them. All IAPs are on the same version, all with the default certificates.

I'll use an example from one of our important guests that had this issue. He was connecting using a Windows 10 laptop for reference. He connected and successfully redirected to the web-login page, which contains a link to go to the self-registration page. He completed the registration and submitted to a sponsor for approval, which was immediately approved. The log-in button at the receipt page then becomes active. After clicking the log-in button, he recieves the DNS error page.

I had him attempt his guest username and password at the web-login page, and recieved the same DNS error (and same error on access tracker). I then deleted his guest account and endpoint information, and made sure he was disconnected. I had him attempt registration again, and the same issue occured.
As this guest was a VIP, I needed to get him connected right away, so I set up an AD account for him to use at the web-login page, and he was able to successfully login with it.

I then used my personal windows 10 laptop to attempt the same procedure at the same IAP he had tried, and had no issue. The same thing was attempted  on a few other laptops with no issue.

The occasional guest (1-2 times a month) at our site recieves this issue, but I have difficulty reproducing it with my coprorate and personal devices.

Not sure what to say, odd that it would only effect a few clients, on the same network.

You probably need to get a device which fails, and go through some more testing (pcap at network and client, log review, etc.)

If you can get a device to re-produce the issue, id suggest you open a case with TAC.

I'll continue trying to get a reproducable scenerio with one of my devices or another device I can commandeer. I'll get back with what results I can. Any suggestions will still help.

For the certificates, One thing isn't clear to me from the documentation. In the IAP under the SSID->Security->External Captive Portal, the field "IP or Hostname" will I be referencing the clearpass server "clearpass.domain.com", or the wildcard "captiveportal-login.domain.com" (IP address in NAS vendor settings).

it would still be clearpass.domain.com

When you replace the cert on the IAP, the IAP still points at the clearpass using the normal hostname. What changes is the URL that clearpass points back to the IAP with.

The IAP will always take on the hostname of its certificate. So if you add in a cert with securelogin.mydomain.com to the IAP, now ClearPass needs to know that when you click login, it should re-direct the client to the new 'hostname' of the IAP.

One thing to consider, if you do not replace all certs in one shot, you will need to create a new Guest Login profile on your CPPM.

e.g.

IAP 1 has default cert, points at Guest_login1.php

In CPPM your Guest_login1.php page needs to point back to securelogin.arubanetworks.com

IAP 2 has new custom cert. the login page on CPPM now needs to points to securelogin.mydomain.com. You need to duplicate your guest login/registration profile, name it something like guest_login2 and change it to point back to securelogin.mydomain.com. Then in IAP external captire portal settings you'd need to change the URL to clearpass.mydomain.com/guest/guest_login2.php

Easiest way is to change cert in all IAP at one, and update the guest registration to point to the new hostname

That makes it much more understandable, thank you. The Captive portal is located on the clearpass server, so it would need that referenced in the Captive portal profile on the IAP. 

It was a little confusing with the IAP having 3 certificates of its own(server cert, cp cert, device cert), and clearpass being referenced as the auth source already.

My plan is to deploy the certificates all in one shot, we have a down day coming up where I can complete and test this. I'll ensure all the pages have the correct hostnames/urls, run tests on multiple devices etc.

I had a device have the same issue today for the captive portal, but by the time I went to diagnose and trouble shoot, it was able to successfully connect.

This issue occurs after landing on the captive portal, when you select log-in you are redirected to securelogin.arubanetworks.com, or CN of the installed cp certificat, which doesnt resolve some of the time (this doesnt make any sense to me, this feels like it should be an all or nothing issue).

What is the full flow of what occurs after clicking log in up to landing at the default destination? 

I would associate a client to the captive portal and do an nslookup to the "securelogin.arubanetworks.com" on that device or try to just ping it, to make sure that the ip address returned is that of the VC consistently.

Also, what version of Instant are you running?  

There could be other reasons why it would not come up, like misconfiguration of the AAA server on instant, but doing an nslookup for the fqdn of the instant captive portal certificate is the first thing you should be looking at...

My IAPs are on 6.5.0 early so that they can use wildcard certs.

The wildcart certificate is set to captiveportal-login.domain.com, however this issue existed before I change to the wildcard cert for the CP.

When doing an NS lookup for the CN of the CP cert from a client on the CP prior to login, I'm getting a different address than the VC. This VC is at a 10.252.x.x address, I'm instead getting a 172.31.x.x address

Is you capive portal SSID network assigned or Virtual assigned? 

Client IP is network assigned, and static VLAN assignment