Wireless Access

Reply
Super Contributor I

CNA enabled for guest logon resulting in HTTPS POST to cluster member's VRRP address

We have a working captive portal network (WiFi@OSU) where CNA bypass was enabled. The user experience was that after associating, the user would have to manually open a web browser and click through as an anonymous guest. This worked perfectly. 


Once we enabled support of CNA (by *not* allowing web traffic to Apple's CNA check for example), the captive portal network assistant mini browser launches. When user clicks through as a guest, we get a "Cannot Verify Server Identity" warning where we have to trust a certificate. 

What I've discovered is that with CNA support, once the user clicks through as a guest, the client does an HTTPS POST to the VRRP address for the controller (since the lc-cluster configuration is supporting VRRPs for each member to support COA). When CNA support is disabled, that same HTTPS POST is done to the controller's IP, *not* the VRRP address. 

The controller has a valid wildcard certificate (*.net.ohio-state.edu) configured for web-server portfolio, and the ClearPass guest page correctly uses captiveportal-logon.net.ohio-state.edu as the destination for the post. 

This issue is observed on iOS and macOS. Android is unaffected because Android doesn't have as secure of certificate validations. 

I tried adding a line to the 'captiveportal' session ACL that mimics the "user controller svc-https dst-nat 8081" policy that is built in but for the VRRP address as well. I also tried enabling HTTP instead of HTTPS in the captive portal. Symptoms remain after doing both of these tests.

 

 

Has anyone encountered this?

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Guru Elite

Re: CNA enabled for guest logon resulting in HTTPS POST to cluster member's VRRP address

Ryan,

 

Without knowing the details of your setup, it seems one post is a  ClearPass Server-initiated flow (from the VRRP) vs. a EDIT ClientController-Initiated (http post to the certificate fqdn. address).

 

@timc?


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Highlighted
Super Contributor I

Re: CNA enabled for guest logon resulting in HTTPS POST to cluster member's VRRP address

Actually, both pages are configured in clearpass as “Controller-initiated – Guest browser performs HTTP form submit” in the web login page.

- Ryan -
==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Super Contributor I

Re: CNA enabled for guest logon resulting in HTTPS POST to cluster member's VRRP address

For closure, we realized (with TAC's help) that we enabled the "include switchip in URL" knob in the AOS captive portal authentication profile. We had done this to integrate with our third-party, but sync "Dynamic Address" was also enabled in ClearPass, the weblogin page was using that switchip value in the HTTP POST.

 

So, our final solution was to sustain the switchip knob in captive portal auth profile in the controller while disabling the 'Dynamic Address' option in the ClearPass Guest Web Login configuration.


FYI for anyone that runs into something similar.

==========
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: