Security

Hi guys
I just attended the Clearpass Essentials training (which I can highly recommend) and wrote this tutorial for me because I'm a big fan of step-by-step guides. It's nothing new but I couldn't find such a (correct) step-by-step guide which fullfilled my needs. And additionally the controller configuration part is missing in the training guides - I added it here in chapter 5. I'm sharing this and hope it's useful to you. Any feedbacks are welcomed!

 

First, have a look at my Design Overview

This will help you understand, what is being configured in the controller (regarding the dependencies of the profiles)

 

Configuration Parameters

These are the values I will use in this tutorial. I summarize them here so you can use this section for preparing, adjusting and "re-finding" your values when you do your own implementation.

 

Aruba Clearpass Policy Manager, Version 6.5.0.71095

DNS Name:            cppm.mycompany.com

IP MGMT:               10.10.100.2 / 255.255.255.0

IP DATA                 192.168.1.2 / 255.255.255.0

 

NAD:                        myController, 10.10.100.1 with Shared Key aruba123

 

Service (RADIUS):    Captive Portal MAC Authentication

Service (RADIUS):    Captive Portal User Authentication with MAC Caching

 

Aruba Clearpass Guest, Version 6.5.0.71095

Name of the Web Login Page: Guest Network

Pagename of the Web Login Page:   captiveportal (.php / is autom. added)

 

Aruba Controller, Version 6.3.1.5

Name:                   myController

IP (eth0):               10.10.100.1 / 255.255.255.0 (Subnet used for Management Traffic)

IP (eth1):               192.168.1.1 / 255.255.255.0 (Subnet used for Guest Networking)

Shared Secret:       aruba123

 

RADIUS Server:       myClearpass, 10.10.100.2 (MGMT IP of Clearpass), aruba123 (Shared Key)

RC 3576 Server:      10.10.100.2, aruba123 (Shared Key)

 

Server Group:        Clearpass (Groupname)

 

L3 Authentication:   CPPM_CaptivePortal (Profilename)

Captive Portal       Login Page = https://192.168.1.2/guest/captiveportal.php

Auth Profile           Server Group = Clearpass

 

User Role:           captiveportal_logon

Policy Name:       CaptivePortal-ACL

Policy Type:        <Session>

 

Guest Profile:       CaptPort-aaa_prof

                             MAC Authentication Profile: default

                             MAC Authentication Server Group: Clearpass

                            RADIUS Accounting Server Group: Clearpass

                    

Virtual AP Profile: CaptPort-vap_prof

               

SSID Profile:        CaptPort-ssid_prof

 

 

 

Now the Step-by-step tutorial begins:

 

1.   Adding the Aruba Controller as NAD

1. On Clearpass Policy Manager navigate to Configuration > Network > Devices
2. Click on the top right

Use the following parameters:

Name:                                             myController

IP or Subnet Address:                   10.10.100.1

RADIUS Shared Secret:                aruba123

 

 

1. Click

 

1. Done

 

2. Create the Guest Service

1. On CPPM, navigate to Configuration > Start Here
2. Select the Guest Authentication with MAC Caching Templat

1. Fill in the template as follows:

General > Name Prefix: Captive Portal

Wireless Network Settings > Wireless SSID: Guest-SSID

Wireless Network Settings > Select Wireless Controller: myController

MAC Caching Settings > Cache duration for Guest: One Day

Access Restrictions > Enforcement Type: Aruba Role Enforcement

Access Restrictions > Captive Portal Access: captiveportal_logon

Access Restrictions > Maximum number of devices allowed per user: 1

Access Restrictions > Guest Access: guest

 

Leave the the rest of the fields blank or by default. Change values for ”Cache duration for Guest” and “Maximum number of devices allowed per user” at your discretion

 

1. Click
2. You don’t have to reorder the services as long as there are no other services interfering with the newly created

 

 

3. Create the Captive Portal Page

1. In CPPM Guest navigate to Configuration > Pages > Web Logins

1. Click on the top right

1. Enter the following parameters:

Name:                     Captive Portal

Page Name:            captiveportal (This will set the URL to: https://cppm.mycompany.com/guest/captiveportal.php)

Vendor Settings:     Aruba Networks (is the default)

Address:                 securelogin.arubanetworks.com (is the default, is used to avoid certificate errors)

 

Authentication:       Credentials – Require a username and password (is the default)

Pre-Auth Check:    Local – match a local account

                               

Customize the Loging Page at your discretion. Give it at least a meaningful “Title”.

 

1. Click

 

4. Create a Guest User

1. In CPPM Guest navigate to Guest > Start Here and click on Create New Guest Account
2. Fill in some adequate values and click on Create:

 

 

 

5. Configuring the Aruba Controller

 

5.1 Add Clearpass as RADIUS Server

 

1. Navigate to Configuration > SECURITY > Authentication > Servers
2. Click on RADIUS Server and enter the Name of your Clearpass Server: myClearpass
3. Click Add
4. Click on myClearpass in the Server List and enter:

       Host: 10.10.100.2 (MGMT IP of Clearpass)

       Key: aruba123 (Shared Key between Controller and Clearpass)

       Leave the other fields by default

 

1. Click Apply

 

5.2 Add Clearpass as RFC 3576 Server

1. Navigate to Configuration > SECURITY > Authentication > Servers
2. Click on RFC 3576 Server and enter the MGMT IP of Clearpass: 10.10.100.2
3. Click Add
4. Click on 10.100.2 in the list
5. Enter the Shared Key aruba123 twice again
6. Click Apply

 

5.3 Create a Server Group for Clearpass

1. Navigate to Configuration > SECURITY > Authentication > Servers
2. Click on Server Group and enter a reference name for your Clearpass server group: Clearpass
3. Click Add
4. Click on Clearpass and click New in Servers
5. Select your Clearpass Server from the Dropdown List: myClearpass
6. Click Add Server
7. Click Apply at the bottom of the page to save the changes

 

 

5.4 Configure the Captive Portal / L3 Authentication

1. Navigate to Configuration > SECURITY > Authentication and click on L3 Authentication
2. Click on Captive Portal Authentication Profile
3. Enter a new Captive Portal profile name: CPPM_CaptivePortal in the empty box and click Add
4. Select CPPM_CaptivePortal and edit the following parameter:

Login page: https://192.168.1.2/guest/captiveportal.php

1. Make sure that “Default Role” = guest and “Default Guest Role” = guest
2. Click Apply at the bottom of the page to save the changes

 

1. Click on Server Group under the CPPM_CaptivePortal and change the Server Group from default to Clearpass
2. Click Apply at the bottom of the page to save the changes

 

5.5 Create the Captive Portal (Logon) Role

1. Navigate to Configuration > SECURITY > Access Control > User Roles and click Add
2. Name it captiveportal_logon for the Role Name under Firewall Policies
3. Click Add

 

1. Choose the radio button for Create New Policy and click the Create Button
2. Enter the following:

Policy Name: CaptivePortal-ACL

Policy Type: <Session>

1. Click Add
2. Select and enter the following information for the first line of the ACL:

IP Version: IPv4

Source: <USER>

Destination: host, Host IP: 192.168.1.2 (IP of Clearpass)

Service: service -> svc-http (80)

Action: permit

1. Click Add at the far right underneath this rule
2. Click Add again
3. Select and enter the following information for the first line of the ACL:

IP Version: IPv4

Source: <USER>

Destination: host, Host IP: 192.168.1.2 (IP of Clearpass)

Service: service -> svc-https (443)

Action: permit

1. Click Add right underneath this rule
2. Click Done
3. Click Add under Firewall Policies and select Radio Button for Choose From Configured Policies
4. Select logon-control (session) and click Done
5. Click Add again under Firewall Policies and select Radio Button for Choose From Configured Policies
6. Select captiveportal and click Done
7. Make sure that captiveportal policy is at the bottom of the list
8. Right in Configuration select under Captive Portal Profile the newly created CPPM_CaptivePortal
9. Click Apply at the bottom of the page

 

5.6 Configure the Guest Captive Portal AAA Profile

1. Navigate to Configuration > SECURITY > Authentication > Servers and click on AAA Profiles
2. Click Add
3. Enter a name for the ClearPass Guest Profile: CaptPort-aaa_prof and click Add again
4. Click on CaptPort-aaa_prof and change the Initial Role to captiveportal_logon and click Apply

 

1. Click on MAC Authentication and set MAC Authentication Profile to default and click Apply
2. Click on MAC Authentication Server Group, set it to Clearpass and click Apply
3. Click on RADIUS Accounting Server Group, set it to Clearpass and click Apply
4. Click on RFC 3576 Server, select 10.100.2 from the Add a profile list, click Add and click Apply

 

 

5.7 Configure the Guest Captive Portal SSID

1. Navigate to Configuration > Advanced Services > All Profiles
2. Expand the Wireless LAN section and click on Virtual AP
3. Enter a name for the Virtual AP profile: CaptPort-vap_prof and click Add
4. Click on CaptPort-vap_prof to edit it
5. In the Basic Tab, et the VLAN to your Guest VLAN (if used) and click Apply

1. Click on SSID (on the left under the CaptPort-vap_prof profile)
2. Click on –New-- in SSID Profile > and name it CaptPort-ssid_prof
3. Set the Network Name (SSID) to Guest-SSID
4. Leave Network Authentication to None and Encryption to Open, click Apply
5. Click on AAA set the AAA Profile from default to CaptPort-aaa_prof and click Apply

1. Navigate to Configuration > WIRELESS > AP Configuration and select your AP Group
2. Click on Wireless LAN > Virtual AP and select CaptPort-vap_prof from the Add a profile list and click Add
3. Click Apply

 

5.8 Save the Configuration

1. Click on Save Configuration on top of the page and you’re ready to test your Captive Portal!

Ditto that.  I attended the Clearpass Fundamentals and my head exploded.  Couldn't wait to get back to the office to get my Guest Register pages up and running.  Great doc. 

Thank laurent, this advice will come in handy.

Excellent..

But a question.  Will the users consume a Guest license or simply a CPPM license?  We have something like this in place, however it doesn't consume guest licenses.

TIA.

Yes, it consumes 1 Policy Manager and 1 Guest License per device. Do you use the captive portal in your setup?

Hi Laurent,

 

Thank you for your post. I'm implementing a brand new iAPs environment. Are the steps similar with the exception of controller configurations?

 

Jessca

jvu, please try the video here:  http://community.arubanetworks.com/t5/Video/VIDEO-Captive-Portal-Authentication-with-Aruba-Instant-and/ta-p/69940

 

 

 

Thank you again Colin

Cám ơn

laurent,

 

Could I implement Self-Registration to go along with this write up?

 

Thank you!

Webcore, absolutely! There are even two ways doing that:

 

1. You do this tutorial (beware, it's slightly outdated due to new features in clearpass) and then you create a Guest Selfregistration page (menu item above Weblogins) and you put a link to it from the Weblogin page you created in the tutorial here.

 

2. You skip the Weblogin step in this tutorial and you directly use the Weblogin page which is created in the Guest Selfregistration process.

 

It's really easy to do... Good luck!

Thanks, laurent!

 

I'm going through your walkthrough right now. As soon as I'm finished with that, then I'm going to implement the Self Reg stuff. I'll let you know how it goes.

 

Thank you very much!

Ran into a snag. The Captive Portal page gets a 404 when I connect to guest. How can I troubleshoot this?

 

EDIT: Got it working, kinda. I'm getting a certificate error, but the correct page is coming up. I had incorrectly entered a value on my L3 captive portal auth profile that did not match what'd I'd configured in CP Guest. Working on Self-Registration now.

 

Thanks!

Hi Laurent,

 

We have followed the steps as per your article but after guest authentication it is trying to redirect to CPPM default landing page. Our requirement is after successful authentication guest should be able to browse the internet.

Could please guide how to resolve the issue.

 

Thanks,

Yugandhar.