Security

Reply
Aruba

Re: clearpass guest wih captive portal

Unrelated, you'll want to change your "Default Role" within your captive portal profile to another role.  You have it set at your logon role; you want it to be a post logon role.

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Contributor II

Re: clearpass guest wih captive portal

I disabled https everywhere and I cleared my browser cache in IE, but still no love.  I also tried Firefox and Chrome browsers, but nothing.  When i try to browse, IE and Firefox show a message in the bottom left corner of the browser that says Connecting to 172.20.1.253..., Chrome just says Sending Request.  Below are some screen shots of my controller config:

 

aaa_prof.PNG

 

CPGuest-logon Policies.PNG

 

CPG-web-ACL.PNG

Regards,
DAK
Contributor II

Re: clearpass guest wih captive portal

I changed the default role to guest in this profile.

 

L3 Auth.PNG

Regards,
DAK
Contributor II

Re: clearpass guest wih captive portal

When a guest client connects and requests the login page, is the source address of the request from the guest IP, or the controller IP?

Regards,
DAK
MVP Expert

Re: clearpass guest wih captive portal

Two documents that should help you along your way here:

  • Amigopod-AOS-Integration-AppNote.pdf
  • Aruba Wireless and ClearPass 6 Integration Guide v1.3.pdf

 

 

If you have activated Source NAT on the guest VLAN then the Controller IP is the source IP. Read more about this in the amigopod integration appnote - which is quite good and detailed.

 

Default Role of Captive Profile shouldn't be -logon role, but the role you want to place it in once authenticated. Usually just some variation of "guest".

 

And now just some random might help things ;)

------------

 

You are doing User login, not Guest login when implementing Clearpass.

 

Assuming that Controller is DHCP and default gateway for the Guest Clients.

 

Assuming you have followed Tarnolds advice to the letter and configured for http on all four places.

 

You haven't reached the Radius part yet - that is first triggered after you register and login through the CP-Guest webpage, so no point trouble shooting that yet. You won't see guest web/http traffic listed in the Access Tracker.

 

The traffic flow between your client and the CPPM is distrupted for some reason. Might be return traffic that is blocked or not routed correctly. Does the CPPM default gateway have a route back to the client subnet? If you can ping it from the client then it should be OK, but still...

 

DNS lookup seems to be working cause if it didn't your browser wouldn't try to load the CPPM IP.

 

What type of client are you testing from?

Your client is redirected from the 192.168 network to the 172.20 network and not all clients like that. If Windows please turn off Windows Firewall to see if that's preventing the return traffic from Clearpass. 

 

 


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Aruba

Re: clearpass guest wih captive portal

Just a quick update----

 

The vlan was missing from the guest role.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II

Re: clearpass guest wih captive portal

Troy is correct.  I was missing the VLAN designation in the CPGuest-logon role.

Regards,
DAK
Aruba

Re: clearpass guest wih captive portal

Thanks for the update; but I am curious why/how that resolved the issue.   You said you could ping CPPM; but could not get there by web; which would imply you had an IP address....was that not the case; or was the user on the wrong VLAN?   Did you have a VLAN designated in the virtual AP?    

 

 

 

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Contributor II

Re: clearpass guest wih captive portal

That is what had me confused: I could ping the CP server and I could ping the Internet, I could resolve DNS names, and I was being redirected to the CP server, but I couldn't get the Guest login page to display.  The problem was that I hadn't assigned the logon role to the proper VLAN, or any VLAN for that matter.  Once I assigned the VLAN to the logon role, the login page displayed.

Regards,
DAK
Aruba

Re: clearpass guest wih captive portal

Well, if it works, it works!     For reference, if you have a VLAN or VLAN pool defined in the virtual AP, you do not need to define one within the role; the client would default to the vlan defined in the virtual AP.    The one in the User Role will override the default in the Virtual AP.

 

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: