Security

Reply
Valued Contributor I

Re: Trouble with setting up ClearPass Guest Self Registration

I just want to clear up a bit more confusion on my part I'm afraid. First, based on what you said/attached to date...

 

Clearpass = 192.168.7.8/24?

Captive portal associated client vlan/subnet (based on earlier info) = 172.16.20.0/24?

 

In reference to the second point, the latest client data shows the client on vlan 99, using a static address of 192.168.5.4. So, does this client work or not work? Or is this the main one we're now looking at?

 

I'm really of the mind this is a simple routing issue. So...

 

Can you list all vlans with assoicated subnets, what they're used for, which device provides DHCP for each, and which device is the default gateway for each? If the default gateway is differnet on the various networks, how do those IP devices reach each other?

 

As a simple suggestion, what happens if you associate the VAP in this case with the vlan on which clearpass resides? I bet it works?

Kudos appreciated, but I'm not hunting! (ACMX 104)
Aruba

Re: Trouble with setting up ClearPass Guest Self Registration


Things you can do based on your earlier posts (please correct if wrong):

-  You can ping the gateway from that role/SSID....so we know your gateway works

-  You can ping the CPPM server from that role/SSID...so we know routing to and from CPPM works

-  You can reach CPPM web registration page from a different SSID....so we know the URL is functional

 

Things to check:

-  Have you tested that DNS works?   (nslookup? ping a hostname?)

-  Try browsing to http://1.1.1.1 to see if captive portal redirects you to the portal

-  Does the controller have an IP on the guest client vlan; vlan 99 (192.168.5.x) in your case

-  Can ClearPass ping that IP on the controller (vlan 99)?

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Occasional Contributor II

Re: Trouble with setting up ClearPass Guest Self Registration

Ok.  Major ID10T error on my part.  Thanks for the eagle eyes on my posted info.  What clued me in to something wierd was the VLAN 99 reference.  I made a change to a different VLAN over the weekend to 5 but due to some other stuff going on, had to reboot my controller.  I didn't save the config with the change of my guest SSID assigned to VLAN 5.  So this explains why a lot of things didn't work as expected.

 

I went back and retested after changing the VLAN of my guest SSID to 5.  I'm happy to report things are much closer to finally working.  Here are the findings:

 

I definitely have a DNS issue.  I can ping everything outside of my subnet to include the DNS server.  So there is no routing issue.  This is if the client is operating under the initial CPG-Login role or if it is fully authenticated.

 

I do not have the capability of doing DNS lookups when the client is in the CPG-Login role.  I do have DNS lookup capability if I manually change the client role to authenticated.  I can browse perfectly fine when the client role is authenticated when it is connected to the guest SSID.

 

Just to do some additional testing, I decided to go through the self registration by manually entering the URL path with just the IP address of the ClearPass server.  I was able to get through the entire registration process on my test client.  However, I am still unable to get DNS name resolution after registration.  I checked on the status of the test client on the controller and it shows no change in the client's role.  It still shows as CPG-Login.

 

I guess the first hurdle is to fix the DNS name resolution issue.  There is a permit listed in the logon control firewall rule under the CPG-Login role.  I don't understand why this DNS permit ACL isn't working.

Occasional Contributor II

Re: Trouble with setting up ClearPass Guest Self Registration

One more thing I wanted to add, I don't have the controller set up as an L3 device for this network.  It's just providing L2 connectivity.

Valued Contributor I

Re: Trouble with setting up ClearPass Guest Self Registration

Progess!

 

Agreed, DNS first as that's weird.

 

Strictly speaking, if you're re-directing to a login page with an IP address in it as you say, then the DNS shouldn't matter too much. It is however interesting that it doesn't work, yet it does if you switch to an authenticated role? Your login role did look like DNS should be permitted. Do a "show datapath session table | include X.X.X.X" in the controller CLI, where X is the client IP just after trying a DNS lookup which fails in the login role and paste the output. We're looking for D flags at the end column.

 

FYI, simply by registering, you might well not get role switched. Depends on the clearpass pages setup. To verify the outcome of the pages you have now, go into CPPM>config>identiy>guest users and look at the account status of the user you registered.

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Aruba

Re: Trouble with setting up ClearPass Guest Self Registration


@zx10guy wrote:

One more thing I wanted to add, I don't have the controller set up as an L3 device for this network.  It's just providing L2 connectivity.


Just want to be clear; despite the controller not doing any L3, it still needs an IP address on any VLAN that is being used for Captive Portal.   It is required for the redirect functionality.

 

As was stated by The.racking.monkey; if you use an IP in the browser, DNS has no involvement.   If you cannot get redirected when you type http://1.1.1.1 while in the CPG-Logon role then it is usually one of the following:

 

1) No IP on the client VLAN

2) Routing issue (ruled out)

3) URL availability (ruled out)

4) NAT issue (more or less ruled out with ICMP capability)

 

Outside of this, it seems you have a DNS Issue that needs to be resolved.


@zx10guy wrote:

I definitely have a DNS issue.  I can ping everything outside of my subnet to include the DNS server.  So there is no routing issue.  This is if the client is operating under the initial CPG-Login role or if it is fully authenticated.

 

I do not have the capability of doing DNS lookups when the client is in the CPG-Login role.  I do have DNS lookup capability if I manually change the client role to authenticated.  I can browse perfectly fine when the client role is authenticated when it is connected to the guest SSID.

 

Just to do some additional testing, I decided to go through the self registration by manually entering the URL path with just the IP address of the ClearPass server.  I was able to get through the entire registration process on my test client.  However, I am still unable to get DNS name resolution after registration.  I checked on the status of the test client on the controller and it shows no change in the client's role.  It still shows as CPG-Login.

 


On these items:

1) Where is the DNS server located?   ICMP is clearly allowed to it from your guest VLAN, but is DNS allowed (not on the Aruba setup, but are there any other ACLs out there)?

2) Simply registering will not change your role; you'd have to be sent there as part of the Captive Portal redirect

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Guru Elite

Re: Trouble with setting up ClearPass Guest Self Registration

This is a good time to open a TAC case in parallel.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Valued Contributor I

Re: Trouble with setting up ClearPass Guest Self Registration

CJ is probably right. There's lots of minor issues by the looks of it, complex to fix on here. But if not in a rush, carry on!

Kudos appreciated, but I'm not hunting! (ACMX 104)
Occasional Contributor II

Re: Trouble with setting up ClearPass Guest Self Registration

Update.

 

clembo is correct about the registration webpage redirect problem.  Once I added an interface into the guest subnet on the controller, the captive portal part works fine.

 

The only issues left right now are the DNS resolution issue and once I went through the registration process on my test client, I still don't have DNS resolution.  What happens is when I try to hit a site like Google, I get a redirect back to the registration webpage on ClearPass.

 

This setup is currently in a lab type environment so there's no huge rush to get this working.  Going with TAC is an option but it's currently a complicated situation for me that is being sorted out.  I would like to continue getting this hashed out here if you all don't mind.

 

Again, appreciate all the help so far.

Valued Contributor I

Re: Trouble with setting up ClearPass Guest Self Registration

Once the device is authenticated (manually or whatever), do a manual nslookup for Google and post the output (pic or text).

Kudos appreciated, but I'm not hunting! (ACMX 104)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: