Security

Hi.  I need help in figuring why I'm unable to get the guest self registration web page come up when I connect up to my guest SSID.  The logs state there is an error 201 Authentication failure User not found.  Cannot select appropriate authentication method.

 

I've gone through various guides and it looks like I have everything configured correctly on both the controller and in ClearPass.  I'm completely stumped.

 

Thanks for any help with this.

Do you have the guest user database as an authentication source under your
guest web login service?

Tim,

 

Thanks for the reply.  Excuse the noob questions as I'm brand new to ClearPass.

 

When you're referring to the authentication source for my guest web login service, are you referring to the guest service I configured in CPPM or is there a spot some where in the ClearPass Guest part?

zx10guy,

 

If an incoming authentication is not classified, that means it did not satisfy the initial requirements of the service rules to handle it: below is a guest access service and listed on the summary and service tab are service rules for that specific service to handle an incoming authentication.  If you look at the access tracker on the failed authentication and look at the Input tab, it will tell you what the incoming attributes were for authentication.  You can compare it to the requirements on the service tab to see what you were missing:

 

 

For guest access it is probably best that you create the service using a service template in CPPM, because it will save you some time.  If you want to stick with what you have, please use the suggestion above to figure out why it is not being classified/handled by your guest service.

I used the service templates to do the initial setup.  I used the Guest Access template.

 

The only service rules I have set up are Calling-Station-Id, Client-Mac-Address, and Aruba-Essid-Name.  I configured the ESSID to match against the SSID I'm using for guest access.  Initially, CPPM wasn't even hitting this service but was matching with a different service.  I was able to get CPPM to use the guest access service I had set up by changing the match criteria of the service rule to ANY from ALL of the following conditions.  I'm not sure if this is also a clue into why this isn't working for me.

What specifically are you looking at for the Calling Station ID and Client MAC address?  You do not want to specifiy those on the services tab, unless you just want to make sure that they exist...

Nothing specific.  Those service rules were included as part of the default parameters when I went through the Services Templates.  I took them out as I want to keep it as simple as possible to get this working.  I'm still getting the same error.  It keeps stating it can't find a user in the localhost Guest User Repository and that it cannot select the appropriate authentication method.

 

I also want to reiterate that I never get the self registration web page.  I try to get the page to come up by trying to access google.com and the browser just sits there waiting eventually timing out.  I do have network connectivity as I can ping the gateway.

Well then, you need to add the guest repository as an authentication source to the service.  If you used the template, it would have already added that.  You also might want to check to see what authentication method is being used in the Input tab of the access tracker to determine what to add.  BOTH should have been added by the template.

 

 

Yes.  The [Guest User Repository][Local SQL DB] is configured under Authentication Sources set up with Service Templates.  Under the Input tab in Access Tracker, I don't see anywhere where it states what Authentication source is being used.  All I have listed under Computed Attributes are:

 

Authentication:

ErrorCode

Full-Username

Full-Username-Normalized

MacAuth

Posture

Status

Username

 

The username looks to be some randomly generated name as it's a mix of numbers and letters.

---

@zx10guy wrote:

Yes.  The [Guest User Repository][Local SQL DB] is configured under Authentication Sources set up with Service Templates.  Under the Input tab in Access Tracker, I don't see anywhere where it states what Authentication source is being used.  All I have listed under Computed Attributes are:

 

Authentication:

ErrorCode

Full-Username

Full-Username-Normalized

MacAuth

Posture

Status

Username

 

The username looks to be some randomly generated name as it's a mix of numbers and letters.

---

It will not say the source in access tracker.  

 

It looks like you might have the controller configured for mac caching (sending a user's mac address as the username), but you do not have a service on the CPPM side to handle mac caching.

 

That's correct.  I don't have a service set up to do MAC caching.  Is this a requirement alongside the Guest Access service?  I also don't recall setting up my controller to send the MAC address as part of the login.  And you're right.  What I'm seeing as as the username is indeed the MAC address of the client I'm using for testing.

 

 

On the controller in the AAA profile for your SSID, change the mac authentication profile to N/A

I changed the mac authentication profile to N/A and I didn't get a query to ClearPass.  Nothing showed up on Access tracker.  When I changed it back to default, I was able to see an entry in Access tracker.

Clearly the authentication on your clearpass needs looking into (and mac auth might well be important later), but the first issue you raised is not seeing the registration page correct?

 

If so, post us an output of the "aaa authentication captive-portal ABC" profile configuration, in use on your service (where ABC is the profile name).

 

And, post us an output of the user-role configuration (firewall policy), that applies to the device you're testing with when it's connected (might be "logon" or similar).

 

Often times, your first problem will be either...

 

1. Your client cannot resolve the DNS name in the captive-portal config login page name (try nslookup).

2. Your firewall policy doesn't permit the HTTP or HTTPS to that same page.

 

Have you checked both these things?

 

Yes.  I'm not getting the registration page at all.

 

I'll post up the config for the pages you've requested in a bit.

 

For the URL to the ClearPass registration page under the Captive Portal config in my controller, I used the IP address of the ClearPass server to rule out any DNS resolution problems.

zx10guy,

 

Can you click on the URL from your desk and get the page to pop up?

 

If you're using the IP in the redirect (and therefore no full public cert), another thing to check is if the page doesn't display due to browser security.

 

Whereas the likes of IE presents a red-x warning, some like safari with the fraud prevention on, will sometimes not present the page at all if it looks untrustworthy.

I've attached some screenshots.

 

I can launch the registration page outside of the SSID I'm using for guest access which is through a wireless client on a different SSID on the same subnet as the one I'm using for guest access. 

Do you have an IP interface for the user subnet on the controller?

Are you able to reach the captive portal page ?

Yes.  I'm able to reach the captive portal/registration page if I'm not going through the SSID I set up for captive portal.

 

I tested this in two ways.  First was to use the guest SSID which is not working as I don't get the captive portal page.  Instead, it looks like the controller is passing the MAC address of my wireless client as the username to ClearPass.  And ClearPass is not completing the authorization as it thinks it's trying to authenticate the MAC address as a username in its local guest user database.  While connected to the guest SSID but not authenticated, I can ping from the wireless client the gateway and the ClearPass server.  I even tested to see if I can reach port 80 on the ClearPass server by Telneting to the CPPM server on port 80.  The connection didn't time out and I was able to get line feeds when I hit the return key.  So I'm pretty sure I have full network connectivity to the CPPM server.

 

The second way I tested to see if I can get the registration page was to connect a wireless client to another SSID which doesn't have captive portal set up on it.  So from the same subnet as the one the guest SSID is associated with, I can type in the URL for the registration page on CPPM and it will come up.

 

I'm starting to think there some issue with the configuration on the controller but I can't figure out where to begin to look.  I'm pretty sure I have everything configured correctly.

Review the following :

Uncheck the Logout popup and add a welcome page

Make sure that Captive portal profile has been added under the user-role

 

Confirm that your SVI has an IP address assigned 

 

interface vlan 20
        ip address 172.16.20.6 255.255.255.0
        description "HOME-GUEST-SVI"

 Assigned that VLAN to the VAP

Victor,

 

I do have the captive profile selected under user roles.  It's also shown in one of my screen captures.

Please search the knowledgebase here: http://support.arubanetworks.com/KNOWLEDGEBASE/tabid/133/Default.aspx for "captive portal troubleshooting"

@zx10guy--

 

You've shared some good information, however I didn't see any output of the actual role of the connected client.    Can you please check that the connected client is indeed getting the CPG-Login role that you have created?    From what you've explained, MAC authentication is configured and is failing (expected at this stage).   However, upon failure, the client should be placed into the initial role of the AAA profile.  Can you share what the role for that is:  "show aaa profile <nameofprofile>".   According to your screenshots, the initial role should be CPG-Login.

 

Please share the following:

show user ip x.x.x.x    (IP of user connected to guest SSID but unable to access guest portal page)

show rights CPG-Login

Your output info you posted shows "https://<yourclearpass_server/guest/homecaptiveportal.php" configured within your captive portal profile as the login page.

 

Can we assume the "<yourclearpass_server" part of this actually reads as the private IP of the clearpass server you're using?

 

Assuming so, I'd suggest the following, as this sounds like something really simple at fault.

 

With your test device connected, type "aaa user add x.x.x.x role authenticated" at the enable mode command line prompt on the controller (where x.x.x.x is the device IP, and authenticated is an "allow all" role which should be there by default).

 

This will switch your test device into a fully permitted role. Now try pinging, and browsing to the URL specified in the captive portal profile. If either or both don't work, something more fundamental is wrong with the IP/routing or similar.

 

If you can see the page, I'd normally recommend taking a client side capture next to see what's going on with the hijack.

 

I'd still recommend having a look at your browser security too if not already done?

 

 

 

 

Just looked at your screenshots further.

 

The previous post had the 192.168.7.8 address in the login page, but your more recent one has 192.168.1.102 in it? What's the reasoning there?

 

Based on what you've said, I'm inclined to suspect a routing problem from your 172 subnet into the 192 one. Main reasoning is you said you can view the page when not wirelessly accessing it? I'm assuming you're doing it from the wired side on the 192 subnet. If so, and it's the same client device, it could be a routing issue? If it's not the same client device, it could be a browser security issue?

HOME-MASTER-CONTROLLER) #show  aaa authentication captive-portal HOME-CP-AUTH-PROFILE

Captive Portal Authentication Profile "HOME-CP-AUTH-PROFILE"
------------------------------------------------------------
Parameter                                          Value
---------                                          -----
Default Role                                       HOME-GUEST-ROLE
Default Guest Role                                 HOME-GUEST-ROLE
Server Group                                       HOME-CLEARPASS_SERVER-GROUP
Redirect Pause                                     10 sec
User Login                                         Enabled
Guest Login                                        Disabled
Logout popup window                                Disabled
Use HTTP for authentication                        Disabled
Logon wait minimum wait                            5 sec
Logon wait maximum wait                            10 sec
logon wait CPU utilization threshold               60 %
Max Authentication failures                        0
Show FQDN                                          Disabled
Authentication Protocol                            PAP
Login page                                         https://<yourclearpass_server/guest/homecaptiveportal.php
Welcome page                                       http://www.google.com
Show Welcome Page                                  Yes
Add switch IP address in the redirection URL       Disabled
Adding user vlan in redirection URL                Disabled
Add a controller interface in the redirection URL  N/A
Allow only one active user session                 Disabled
White List                                         N/A
Black List                                         N/A
Show the acceptable use policy page                Disabled
User idle timeout                                  N/A
Redirect URL                                       N/A
Bypass Apple Captive Network Assistant             Disabled

 

 

(HOME-MASTER-CONTROLLER) #show  rights HOME-CAPTIVEPORTAL-ROLE

Derived Role = 'HOME-CAPTIVEPORTAL-ROLE'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 ACL Number = 58/0
 Max Sessions = 65535

 Captive Portal profile = HOME-CP-AUTH-PROFILE

access-list List
----------------
Position  Name                  Type     Location
--------  ----                  ----     --------
1         HOME-CAPTIVE-PORTAL-ACL  session

CAPTIVE-PORTAL-ACL-B
--------------------
Priority  Source  Destination     Service    Action        TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6
--------  ------  -----------     -------    ------        ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------
1         user    HOME-CLEARPASS  svc-http   permit                                 Low                                                           4
2         user    HOME-CLEARPASS  svc-https  permit                                 Low                                                           4
4         any     HOME-CLEARPASS  any        permit                                 Low                                                           4
5         user    any             svc-dhcp   permit                                                   Low                                                           
6         user    any             svc-dns    permit                                 Low                                                           4
7         user    any             svc-icmp   permit                                 Low                                                           4
8         user    any             svc-https  dst-nat 8081                           Low                                                           4
9         user    any             svc-http   dst-nat 8080                           Low                                                           4

 

 

 

 

 

 

 

 

 

Also see this was the web login pre- auth service not the web login service. The pre-auth service checks the username password yet isn't an authentication- it just makes sure the user/ password is correct. So web authentication service should be higher in your list- unless you have specific need to verify username and password before authentication (different service)

Before I get much further, I really appreciate all the help I'm getting.

 

With respect to the question about the IP address mismatch between the different captive portal/registration pages, the screenshots which are pasted as images in a few replies are not mine.  They're from another responder trying to help who is pasting their working config in their replies.

 

So I did some of the things suggested and the output is in the attached text file.  I also included a screenshot of the client info from the GUI of the controller.

 

I tried the suggestion to change the authentication state of the test client to authenticated.  I can't ping the default gateway for the subnet nor access the registration page.  As a test, I switched this wireless client over to the other SSID without captive portal and the test client is able to access the registration page directly.

 

It looks like my problem seems to be at the controller, but I have no clue where.

I just want to clear up a bit more confusion on my part I'm afraid. First, based on what you said/attached to date...

 

Clearpass = 192.168.7.8/24?

Captive portal associated client vlan/subnet (based on earlier info) = 172.16.20.0/24?

 

In reference to the second point, the latest client data shows the client on vlan 99, using a static address of 192.168.5.4. So, does this client work or not work? Or is this the main one we're now looking at?

 

I'm really of the mind this is a simple routing issue. So...

 

Can you list all vlans with assoicated subnets, what they're used for, which device provides DHCP for each, and which device is the default gateway for each? If the default gateway is differnet on the various networks, how do those IP devices reach each other?

 

As a simple suggestion, what happens if you associate the VAP in this case with the vlan on which clearpass resides? I bet it works?

Things you can do based on your earlier posts (please correct if wrong):

-  You can ping the gateway from that role/SSID....so we know your gateway works

-  You can ping the CPPM server from that role/SSID...so we know routing to and from CPPM works

-  You can reach CPPM web registration page from a different SSID....so we know the URL is functional

 

Things to check:

-  Have you tested that DNS works?   (nslookup? ping a hostname?)

-  Try browsing to http://1.1.1.1 to see if captive portal redirects you to the portal

-  Does the controller have an IP on the guest client vlan; vlan 99 (192.168.5.x) in your case

-  Can ClearPass ping that IP on the controller (vlan 99)?

 

 

 

Ok.  Major ID10T error on my part.  Thanks for the eagle eyes on my posted info.  What clued me in to something wierd was the VLAN 99 reference.  I made a change to a different VLAN over the weekend to 5 but due to some other stuff going on, had to reboot my controller.  I didn't save the config with the change of my guest SSID assigned to VLAN 5.  So this explains why a lot of things didn't work as expected.

 

I went back and retested after changing the VLAN of my guest SSID to 5.  I'm happy to report things are much closer to finally working.  Here are the findings:

 

I definitely have a DNS issue.  I can ping everything outside of my subnet to include the DNS server.  So there is no routing issue.  This is if the client is operating under the initial CPG-Login role or if it is fully authenticated.

 

I do not have the capability of doing DNS lookups when the client is in the CPG-Login role.  I do have DNS lookup capability if I manually change the client role to authenticated.  I can browse perfectly fine when the client role is authenticated when it is connected to the guest SSID.

 

Just to do some additional testing, I decided to go through the self registration by manually entering the URL path with just the IP address of the ClearPass server.  I was able to get through the entire registration process on my test client.  However, I am still unable to get DNS name resolution after registration.  I checked on the status of the test client on the controller and it shows no change in the client's role.  It still shows as CPG-Login.

 

I guess the first hurdle is to fix the DNS name resolution issue.  There is a permit listed in the logon control firewall rule under the CPG-Login role.  I don't understand why this DNS permit ACL isn't working.

One more thing I wanted to add, I don't have the controller set up as an L3 device for this network.  It's just providing L2 connectivity.

---

@zx10guy wrote:

One more thing I wanted to add, I don't have the controller set up as an L3 device for this network.  It's just providing L2 connectivity.

---

Just want to be clear; despite the controller not doing any L3, it still needs an IP address on any VLAN that is being used for Captive Portal.   It is required for the redirect functionality.

 

As was stated by The.racking.monkey; if you use an IP in the browser, DNS has no involvement.   If you cannot get redirected when you type http://1.1.1.1 while in the CPG-Logon role then it is usually one of the following:

 

1) No IP on the client VLAN

2) Routing issue (ruled out)

3) URL availability (ruled out)

4) NAT issue (more or less ruled out with ICMP capability)

 

Outside of this, it seems you have a DNS Issue that needs to be resolved.

---

@zx10guy wrote:

I definitely have a DNS issue.  I can ping everything outside of my subnet to include the DNS server.  So there is no routing issue.  This is if the client is operating under the initial CPG-Login role or if it is fully authenticated.

 

I do not have the capability of doing DNS lookups when the client is in the CPG-Login role.  I do have DNS lookup capability if I manually change the client role to authenticated.  I can browse perfectly fine when the client role is authenticated when it is connected to the guest SSID.

 

Just to do some additional testing, I decided to go through the self registration by manually entering the URL path with just the IP address of the ClearPass server.  I was able to get through the entire registration process on my test client.  However, I am still unable to get DNS name resolution after registration.  I checked on the status of the test client on the controller and it shows no change in the client's role.  It still shows as CPG-Login.

 

---

On these items:

1) Where is the DNS server located?   ICMP is clearly allowed to it from your guest VLAN, but is DNS allowed (not on the Aruba setup, but are there any other ACLs out there)?

2) Simply registering will not change your role; you'd have to be sent there as part of the Captive Portal redirect

 

Update.

 

clembo is correct about the registration webpage redirect problem.  Once I added an interface into the guest subnet on the controller, the captive portal part works fine.

 

The only issues left right now are the DNS resolution issue and once I went through the registration process on my test client, I still don't have DNS resolution.  What happens is when I try to hit a site like Google, I get a redirect back to the registration webpage on ClearPass.

 

This setup is currently in a lab type environment so there's no huge rush to get this working.  Going with TAC is an option but it's currently a complicated situation for me that is being sorted out.  I would like to continue getting this hashed out here if you all don't mind.

 

Again, appreciate all the help so far.

Once the device is authenticated (manually or whatever), do a manual nslookup for Google and post the output (pic or text).

This is what I get when I try a manual nslookup:

 

C:\Users\admin>nslookup www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2001:4888:16:ff00:1e1:d::

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

 

The user role still shows as CPG-Login for my test client.  In ClearPass, the user I registered shows as enabled.  If I manually change the role of the client to authenticated, everything works fine.

That output looks like you're looking for an IPv6 DNS server?

 

What does an "ipconfig /all" output look like?

Oh, and don't forget (as I mentioned before)...

 

Do a "show datapath session table | include X.X.X.X" in the controller CLI, where X is the client IP just after trying a DNS lookup which fails in the login role and paste the output. We're looking for D flags at the end column.

 

 

---

@zx10guy wrote:

This is what I get when I try a manual nslookup:

 

C:\Users\admin>nslookup www.google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  2001:4888:16:ff00:1e1:d::

 

---

OK, glad we got you through the redirect page....now for DNS.     On the client, check what your DNS servers are (ipconfig /all)   It doesn't look like they are defined properly (either through DHCP or manually).     It will need to be a DNS server that is reachable, by your roles/policies, any DNS server should work; for external use, I usually use Google's 8.8.8.8 and 8.8.4.4 for guest networks.

 

EDIT:  as The.racking.monkey mentions, it looks like only an IPv6 address is being tried.

Progess!

 

Agreed, DNS first as that's weird.

 

Strictly speaking, if you're re-directing to a login page with an IP address in it as you say, then the DNS shouldn't matter too much. It is however interesting that it doesn't work, yet it does if you switch to an authenticated role? Your login role did look like DNS should be permitted. Do a "show datapath session table | include X.X.X.X" in the controller CLI, where X is the client IP just after trying a DNS lookup which fails in the login role and paste the output. We're looking for D flags at the end column.

 

FYI, simply by registering, you might well not get role switched. Depends on the clearpass pages setup. To verify the outcome of the pages you have now, go into CPPM>config>identiy>guest users and look at the account status of the user you registered.

 

This is a good time to open a TAC case in parallel.

CJ is probably right. There's lots of minor issues by the looks of it, complex to fix on here. But if not in a rush, carry on!