Security

Hi, 

I successfully configured ClearPass captive sponsor portal with IAP with server certificate issued by a local CA. 
But I need this setup to work with a Virtual Mobility Controller and RAP, so AP in bridge mode.
I did the similar setup for Mobility Controller running 8.9.0.3 but for some reason after completing user/pass in captive portal no RADIUS auth request is sent from Mobility Controller towards ClearPass.
If I change ClearPass captive portal Login Form to pre-auth Check with RADIUS I do receive & auth this req in ClearPass but nothing happens after. 
Mobility Controller cert was issued initially for securelogin.mydomain and worked for IAP. Changed to network-login but nothing changes. I can succesfully access Mobility Controller using securelogin.mydomain or network-login, cert looks ok.
Tried also with a public star cert for mydomain with captiveportal-login.mydomain but also did not worked.
For testing purpose I also changed AAA guest profile to MAC auth, this also works but this is not what I need.

Any ideea what to check in Mobilty Controller config?

Rgds,
Adrian

Check your AAA profile if mac-authentication is configured.

For "show" the captive-portal there is just a dns-redirection from the controller in the captive-portal profile.

A RADIUS request for mac-auth is visible in ClearPass after submit the form post in the captive-portal. But mac-aut mustbe configurered in the aaa profile.

Far as i known securelogin.arubanetworks.com certificate will not work and you have to import a public signed certificate in the controller that is uses for captive-portal. The certificate in the controller don't need to be DNS resolvable and no firewall configuration is needed. The certificate in the controller is shown to the client after the form post and this traffic is "injected" in the traffic to the client.

See also the image in this topic: 
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=3845

Hope it helps you out


------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------

Original Message:
Sent: Sep 15, 2022 05:55 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi,

I successfully configured ClearPass captive sponsor portal with IAP with server certificate issued by a local CA.
But I need this setup to work with a Virtual Mobility Controller and RAP, so AP in bridge mode.
I did the similar setup for Mobility Controller running 8.9.0.3 but for some reason after completing user/pass in captive portal no RADIUS auth request is sent from Mobility Controller towards ClearPass.
If I change ClearPass captive portal Login Form to pre-auth Check with RADIUS I do receive & auth this req in ClearPass but nothing happens after.
Mobility Controller cert was issued initially for securelogin.mydomain and worked for IAP. Changed to network-login but nothing changes. I can succesfully access Mobility Controller using securelogin.mydomain or network-login, cert looks ok.
Tried also with a public star cert for mydomain with captiveportal-login.mydomain but also did not worked.
For testing purpose I also changed AAA guest profile to MAC auth, this also works but this is not what I need.

Any ideea what to check in Mobilty Controller config?

Rgds,
Adrian

Original Message:
Sent: 9/15/2022 6:38:00 PM
From: mkk
Subject: RE: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Check your AAA profile if mac-authentication is configured.

For "show" the captive-portal there is just a dns-redirection from the controller in the captive-portal profile.

A RADIUS request for mac-auth is visible in ClearPass after submit the form post in the captive-portal. But mac-aut mustbe configurered in the aaa profile.

Far as i known securelogin.arubanetworks.com certificate will not work and you have to import a public signed certificate in the controller that is uses for captive-portal. The certificate in the controller don't need to be DNS resolvable and no firewall configuration is needed. The certificate in the controller is shown to the client after the form post and this traffic is "injected" in the traffic to the client.

See also the image in this topic: 
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=3845

Hope it helps you out


------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own
------------------------------

Original Message:
Sent: Sep 15, 2022 05:55 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi,

I successfully configured ClearPass captive sponsor portal with IAP with server certificate issued by a local CA.
But I need this setup to work with a Virtual Mobility Controller and RAP, so AP in bridge mode.
I did the similar setup for Mobility Controller running 8.9.0.3 but for some reason after completing user/pass in captive portal no RADIUS auth request is sent from Mobility Controller towards ClearPass.
If I change ClearPass captive portal Login Form to pre-auth Check with RADIUS I do receive & auth this req in ClearPass but nothing happens after.
Mobility Controller cert was issued initially for securelogin.mydomain and worked for IAP. Changed to network-login but nothing changes. I can succesfully access Mobility Controller using securelogin.mydomain or network-login, cert looks ok.
Tried also with a public star cert for mydomain with captiveportal-login.mydomain but also did not worked.
For testing purpose I also changed AAA guest profile to MAC auth, this also works but this is not what I need.

Any ideea what to check in Mobilty Controller config?

Rgds,
Adrian

just a side note, in order for the IAPs to display username instead of a MAC address for a MAC auth session, your RADIUS server needs to send the following IETF User-Name attrib to it.

if  you are using ClearPass then that would look like this



------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: Sep 16, 2022 05:06 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi Marcel, 

Thank you for your asnwer.

I do not want to activate captive-portal with MAC caching. My requirement is to have guest login as long as the account is valid.

If I activate mach-auth in aaa profile, indeed I reveive an RADIUS auth request with MAC as username, but what I need is to receive RADIUS request with username and password of the guest user which for some reason does not happen.

Sep 16 11:48:09 2022  authmgr[5695]: <522275> <5695> <WARN> |authmgr|  User Authentication failed. username=8086f298e18f userip=0.0.0.0 usermac=80:86:f2:98:e1:8f authmethod=MAC servername=CPPM serverip=192.168.123.190 apname=AP1 bssid=34:8a:12:b4:28:81

Related to certificates I tried with securelogin.mydomin certificate issued by my local CA which are trusted by all test environment (laptop, clearpass, mobility controller). 

I had the same scenario working with IAP without MAC caching.

Rgds,

Adrian

Original Message:
Sent: 9/15/2022 6:38:00 PM
From: mkk
Subject: RE: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Check your AAA profile if mac-authentication is configured.

For "show" the captive-portal there is just a dns-redirection from the controller in the captive-portal profile.

A RADIUS request for mac-auth is visible in ClearPass after submit the form post in the captive-portal. But mac-aut mustbe configurered in the aaa profile.

Far as i known securelogin.arubanetworks.com certificate will not work and you have to import a public signed certificate in the controller that is uses for captive-portal. The certificate in the controller don't need to be DNS resolvable and no firewall configuration is needed. The certificate in the controller is shown to the client after the form post and this traffic is "injected" in the traffic to the client.

See also the image in this topic:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=3845

Hope it helps you out


------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Sep 15, 2022 05:55 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi,

I successfully configured ClearPass captive sponsor portal with IAP with server certificate issued by a local CA.
But I need this setup to work with a Virtual Mobility Controller and RAP, so AP in bridge mode.
I did the similar setup for Mobility Controller running 8.9.0.3 but for some reason after completing user/pass in captive portal no RADIUS auth request is sent from Mobility Controller towards ClearPass.
If I change ClearPass captive portal Login Form to pre-auth Check with RADIUS I do receive & auth this req in ClearPass but nothing happens after.
Mobility Controller cert was issued initially for securelogin.mydomain and worked for IAP. Changed to network-login but nothing changes. I can succesfully access Mobility Controller using securelogin.mydomain or network-login, cert looks ok.
Tried also with a public star cert for mydomain with captiveportal-login.mydomain but also did not worked.
For testing purpose I also changed AAA guest profile to MAC auth, this also works but this is not what I need.

Any ideea what to check in Mobilty Controller config?

Rgds,
Adrian

What may help is to open 'developer tools' in your browser (use a laptop for that, not mobile) and trace the requests. First validate that the browser is posting the credentials to your controller. If that happens check the authentication on the controller (show auth-tracebuf) to see if the request comes in and what happens with it.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 16, 2022 05:06 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi Marcel, 

Thank you for your asnwer.

I do not want to activate captive-portal with MAC caching. My requirement is to have guest login as long as the account is valid.

If I activate mach-auth in aaa profile, indeed I reveive an RADIUS auth request with MAC as username, but what I need is to receive RADIUS request with username and password of the guest user which for some reason does not happen.

Sep 16 11:48:09 2022  authmgr[5695]: <522275> <5695> <WARN> |authmgr|  User Authentication failed. username=8086f298e18f userip=0.0.0.0 usermac=80:86:f2:98:e1:8f authmethod=MAC servername=CPPM serverip=192.168.123.190 apname=AP1 bssid=34:8a:12:b4:28:81

Related to certificates I tried with securelogin.mydomin certificate issued by my local CA which are trusted by all test environment (laptop, clearpass, mobility controller). 

I had the same scenario working with IAP without MAC caching.

Rgds,

Adrian

Original Message:
Sent: 9/15/2022 6:38:00 PM
From: mkk
Subject: RE: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Check your AAA profile if mac-authentication is configured.

For "show" the captive-portal there is just a dns-redirection from the controller in the captive-portal profile.

A RADIUS request for mac-auth is visible in ClearPass after submit the form post in the captive-portal. But mac-aut mustbe configurered in the aaa profile.

Far as i known securelogin.arubanetworks.com certificate will not work and you have to import a public signed certificate in the controller that is uses for captive-portal. The certificate in the controller don't need to be DNS resolvable and no firewall configuration is needed. The certificate in the controller is shown to the client after the form post and this traffic is "injected" in the traffic to the client.

See also the image in this topic:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=3845

Hope it helps you out


------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Sep 15, 2022 05:55 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi,

I successfully configured ClearPass captive sponsor portal with IAP with server certificate issued by a local CA.
But I need this setup to work with a Virtual Mobility Controller and RAP, so AP in bridge mode.
I did the similar setup for Mobility Controller running 8.9.0.3 but for some reason after completing user/pass in captive portal no RADIUS auth request is sent from Mobility Controller towards ClearPass.
If I change ClearPass captive portal Login Form to pre-auth Check with RADIUS I do receive & auth this req in ClearPass but nothing happens after.
Mobility Controller cert was issued initially for securelogin.mydomain and worked for IAP. Changed to network-login but nothing changes. I can succesfully access Mobility Controller using securelogin.mydomain or network-login, cert looks ok.
Tried also with a public star cert for mydomain with captiveportal-login.mydomain but also did not worked.
For testing purpose I also changed AAA guest profile to MAC auth, this also works but this is not what I need.

Any ideea what to check in Mobilty Controller config?

Rgds,
Adrian

Original Message:
Sent: 9/16/2022 8:50:00 AM
From: Herman Robers
Subject: RE: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

What may help is to open 'developer tools' in your browser (use a laptop for that, not mobile) and trace the requests. First validate that the browser is posting the credentials to your controller. If that happens check the authentication on the controller (show auth-tracebuf) to see if the request comes in and what happens with it.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 16, 2022 05:06 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi Marcel, 

Thank you for your asnwer.

I do not want to activate captive-portal with MAC caching. My requirement is to have guest login as long as the account is valid.

If I activate mach-auth in aaa profile, indeed I reveive an RADIUS auth request with MAC as username, but what I need is to receive RADIUS request with username and password of the guest user which for some reason does not happen.

Sep 16 11:48:09 2022  authmgr[5695]: <522275> <5695> <WARN> |authmgr|  User Authentication failed. username=8086f298e18f userip=0.0.0.0 usermac=80:86:f2:98:e1:8f authmethod=MAC servername=CPPM serverip=192.168.123.190 apname=AP1 bssid=34:8a:12:b4:28:81

Related to certificates I tried with securelogin.mydomin certificate issued by my local CA which are trusted by all test environment (laptop, clearpass, mobility controller). 

I had the same scenario working with IAP without MAC caching.

Rgds,

Adrian

Original Message:
Sent: 9/15/2022 6:38:00 PM
From: mkk
Subject: RE: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Check your AAA profile if mac-authentication is configured.

For "show" the captive-portal there is just a dns-redirection from the controller in the captive-portal profile.

A RADIUS request for mac-auth is visible in ClearPass after submit the form post in the captive-portal. But mac-aut mustbe configurered in the aaa profile.

Far as i known securelogin.arubanetworks.com certificate will not work and you have to import a public signed certificate in the controller that is uses for captive-portal. The certificate in the controller don't need to be DNS resolvable and no firewall configuration is needed. The certificate in the controller is shown to the client after the form post and this traffic is "injected" in the traffic to the client.

See also the image in this topic:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=3845

Hope it helps you out


------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Sep 15, 2022 05:55 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi,

I successfully configured ClearPass captive sponsor portal with IAP with server certificate issued by a local CA.
But I need this setup to work with a Virtual Mobility Controller and RAP, so AP in bridge mode.
I did the similar setup for Mobility Controller running 8.9.0.3 but for some reason after completing user/pass in captive portal no RADIUS auth request is sent from Mobility Controller towards ClearPass.
If I change ClearPass captive portal Login Form to pre-auth Check with RADIUS I do receive & auth this req in ClearPass but nothing happens after.
Mobility Controller cert was issued initially for securelogin.mydomain and worked for IAP. Changed to network-login but nothing changes. I can succesfully access Mobility Controller using securelogin.mydomain or network-login, cert looks ok.
Tried also with a public star cert for mydomain with captiveportal-login.mydomain but also did not worked.
For testing purpose I also changed AAA guest profile to MAC auth, this also works but this is not what I need.

Any ideea what to check in Mobilty Controller config?

Rgds,
Adrian

Original Message:
Sent: 9/16/2022 10:53:00 AM
From: adrianpartenie
Subject: RE: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

One question Herman if I may, because I found the follwing post

https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=7037

Did you tried captive-portal on mobility controller with AP in bridge-mode?

I tried earlier with enabletheageout-bridge-userparameterintheaaaprofilecommand set but still no success.

Rgds,

Adrian

Original Message:
Sent: 9/16/2022 8:50:00 AM
From: Herman Robers
Subject: RE: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

What may help is to open 'developer tools' in your browser (use a laptop for that, not mobile) and trace the requests. First validate that the browser is posting the credentials to your controller. If that happens check the authentication on the controller (show auth-tracebuf) to see if the request comes in and what happens with it.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Sep 16, 2022 05:06 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi Marcel, 

Thank you for your asnwer.

I do not want to activate captive-portal with MAC caching. My requirement is to have guest login as long as the account is valid.

If I activate mach-auth in aaa profile, indeed I reveive an RADIUS auth request with MAC as username, but what I need is to receive RADIUS request with username and password of the guest user which for some reason does not happen.

Sep 16 11:48:09 2022  authmgr[5695]: <522275> <5695> <WARN> |authmgr|  User Authentication failed. username=8086f298e18f userip=0.0.0.0 usermac=80:86:f2:98:e1:8f authmethod=MAC servername=CPPM serverip=192.168.123.190 apname=AP1 bssid=34:8a:12:b4:28:81

Related to certificates I tried with securelogin.mydomin certificate issued by my local CA which are trusted by all test environment (laptop, clearpass, mobility controller). 

I had the same scenario working with IAP without MAC caching.

Rgds,

Adrian

Original Message:
Sent: 9/15/2022 6:38:00 PM
From: mkk
Subject: RE: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Check your AAA profile if mac-authentication is configured.

For "show" the captive-portal there is just a dns-redirection from the controller in the captive-portal profile.

A RADIUS request for mac-auth is visible in ClearPass after submit the form post in the captive-portal. But mac-aut mustbe configurered in the aaa profile.

Far as i known securelogin.arubanetworks.com certificate will not work and you have to import a public signed certificate in the controller that is uses for captive-portal. The certificate in the controller don't need to be DNS resolvable and no firewall configuration is needed. The certificate in the controller is shown to the client after the form post and this traffic is "injected" in the traffic to the client.

See also the image in this topic:
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=3845

Hope it helps you out


------------------------------
Marcel Koedijk | MVP Expert 2022 | ACEP | ACMP | ACCP | ACDP | Ekahau ECSE | Not an HPE Employee | Opinions are my own

Original Message:
Sent: Sep 15, 2022 05:55 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi,

I successfully configured ClearPass captive sponsor portal with IAP with server certificate issued by a local CA.
But I need this setup to work with a Virtual Mobility Controller and RAP, so AP in bridge mode.
I did the similar setup for Mobility Controller running 8.9.0.3 but for some reason after completing user/pass in captive portal no RADIUS auth request is sent from Mobility Controller towards ClearPass.
If I change ClearPass captive portal Login Form to pre-auth Check with RADIUS I do receive & auth this req in ClearPass but nothing happens after.
Mobility Controller cert was issued initially for securelogin.mydomain and worked for IAP. Changed to network-login but nothing changes. I can succesfully access Mobility Controller using securelogin.mydomain or network-login, cert looks ok.
Tried also with a public star cert for mydomain with captiveportal-login.mydomain but also did not worked.
For testing purpose I also changed AAA guest profile to MAC auth, this also works but this is not what I need.

Any ideea what to check in Mobilty Controller config?

Rgds,
Adrian

On the L3 Auth profile - do you have server group defined?

------------------------------
ACNSA | ACEA | ACCP | ACMP
------------------------------

Original Message:
Sent: Sep 15, 2022 05:55 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi,

I successfully configured ClearPass captive sponsor portal with IAP with server certificate issued by a local CA.
But I need this setup to work with a Virtual Mobility Controller and RAP, so AP in bridge mode.
I did the similar setup for Mobility Controller running 8.9.0.3 but for some reason after completing user/pass in captive portal no RADIUS auth request is sent from Mobility Controller towards ClearPass.
If I change ClearPass captive portal Login Form to pre-auth Check with RADIUS I do receive & auth this req in ClearPass but nothing happens after.
Mobility Controller cert was issued initially for securelogin.mydomain and worked for IAP. Changed to network-login but nothing changes. I can succesfully access Mobility Controller using securelogin.mydomain or network-login, cert looks ok.
Tried also with a public star cert for mydomain with captiveportal-login.mydomain but also did not worked.
For testing purpose I also changed AAA guest profile to MAC auth, this also works but this is not what I need.

Any ideea what to check in Mobilty Controller config?

Rgds,
Adrian

Original Message:
Sent: 9/16/2022 9:58:00 AM
From: bd_87
Subject: RE: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

On the L3 Auth profile - do you have server group defined?

------------------------------
ACNSA | ACEA | ACCP | ACMP
------------------------------

Original Message:
Sent: Sep 15, 2022 05:55 AM
From: Adrian Partenie
Subject: ClearPass captive portal works but not RADIUS auth req sent from Mobility Controller

Hi,

I successfully configured ClearPass captive sponsor portal with IAP with server certificate issued by a local CA.
But I need this setup to work with a Virtual Mobility Controller and RAP, so AP in bridge mode.
I did the similar setup for Mobility Controller running 8.9.0.3 but for some reason after completing user/pass in captive portal no RADIUS auth request is sent from Mobility Controller towards ClearPass.
If I change ClearPass captive portal Login Form to pre-auth Check with RADIUS I do receive & auth this req in ClearPass but nothing happens after.
Mobility Controller cert was issued initially for securelogin.mydomain and worked for IAP. Changed to network-login but nothing changes. I can succesfully access Mobility Controller using securelogin.mydomain or network-login, cert looks ok.
Tried also with a public star cert for mydomain with captiveportal-login.mydomain but also did not worked.
For testing purpose I also changed AAA guest profile to MAC auth, this also works but this is not what I need.

Any ideea what to check in Mobilty Controller config?

Rgds,
Adrian