Security

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

164 is the service that is actually used for the Portal logins and 165 is just for logging into the Guest application itself as I understand it, so my wifi users will never hit service 165. The only time I see 165 in the access tracker is when a member of staff logis in to register a personal Guest device such as a chromecast.

We do not permit guests to self register so I don't see how the service 165 would come into play for a wifi guest. I think this may be where my confusion is coming from. I don't understand how the service 165 relates to clients on the GUEST WLAN. Are you saying that it should be used somehow? 

 Our Guest network is a little odd in that we have one guest account that resides in our Active Directory and all Guest users are given the username and password for that account. (a really bad idea! i know) The issue is that we also allow staff to use the GUEST network and use their AD credentials to logon.

So, when a user connects to the GUEST SSID, if their MAC is not cached, they are sent to the portal to logon. Our Portal page is set up in the "Web Logins" section of the ClearPass Guest Configuration as opposed to the "Self-Registrations" section.

When the users completes the Web Login, tips roles are derived based on AD group memberships and enforcement profiles assigned according to the tips role.

For authentication sources on service 164, we use our AD.

The Auth Methods configured on 164 are PAP, CHAP, MSCHAP & MSCHAPv2.

In the access tracker, Every logon that I see using service 164 is using PAP.  My thought was that somewhere in that Web Login page config it would specify the authentication method but there is no such setting that I can see.

I hope that this attempt at explaining our setup clarifies some things.

Also, I really want to say that I very much appreciate your input Zak.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

Ok, I have another clarifying question to get us on the same page.

In your "Web Login" Settings. What is your "Pre-Auth Check" Setting?

164 is the service that is actually used for the Portal logins and 165 is just for logging into the Guest application itself as I understand it, so my wifi users will never hit service 165. The only time I see 165 in the access tracker is when a member of staff logis in to register a personal Guest device such as a chromecast.

We do not permit guests to self register so I don't see how the service 165 would come into play for a wifi guest. I think this may be where my confusion is coming from. I don't understand how the service 165 relates to clients on the GUEST WLAN. Are you saying that it should be used somehow? 

 Our Guest network is a little odd in that we have one guest account that resides in our Active Directory and all Guest users are given the username and password for that account. (a really bad idea! i know) The issue is that we also allow staff to use the GUEST network and use their AD credentials to logon.

So, when a user connects to the GUEST SSID, if their MAC is not cached, they are sent to the portal to logon. Our Portal page is set up in the "Web Logins" section of the ClearPass Guest Configuration as opposed to the "Self-Registrations" section.

When the users completes the Web Login, tips roles are derived based on AD group memberships and enforcement profiles assigned according to the tips role.

For authentication sources on service 164, we use our AD.

The Auth Methods configured on 164 are PAP, CHAP, MSCHAP & MSCHAPv2.

In the access tracker, Every logon that I see using service 164 is using PAP.  My thought was that somewhere in that Web Login page config it would specify the authentication method but there is no such setting that I can see.

I hope that this attempt at explaining our setup clarifies some things.

Also, I really want to say that I very much appreciate your input Zak.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

Pre-auth is set as follows.

Ok, I have another clarifying question to get us on the same page.

In your "Web Login" Settings. What is your "Pre-Auth Check" Setting?

164 is the service that is actually used for the Portal logins and 165 is just for logging into the Guest application itself as I understand it, so my wifi users will never hit service 165. The only time I see 165 in the access tracker is when a member of staff logis in to register a personal Guest device such as a chromecast.

We do not permit guests to self register so I don't see how the service 165 would come into play for a wifi guest. I think this may be where my confusion is coming from. I don't understand how the service 165 relates to clients on the GUEST WLAN. Are you saying that it should be used somehow? 

 Our Guest network is a little odd in that we have one guest account that resides in our Active Directory and all Guest users are given the username and password for that account. (a really bad idea! i know) The issue is that we also allow staff to use the GUEST network and use their AD credentials to logon.

So, when a user connects to the GUEST SSID, if their MAC is not cached, they are sent to the portal to logon. Our Portal page is set up in the "Web Logins" section of the ClearPass Guest Configuration as opposed to the "Self-Registrations" section.

When the users completes the Web Login, tips roles are derived based on AD group memberships and enforcement profiles assigned according to the tips role.

For authentication sources on service 164, we use our AD.

The Auth Methods configured on 164 are PAP, CHAP, MSCHAP & MSCHAPv2.

In the access tracker, Every logon that I see using service 164 is using PAP.  My thought was that somewhere in that Web Login page config it would specify the authentication method but there is no such setting that I can see.

I hope that this attempt at explaining our setup clarifies some things.

Also, I really want to say that I very much appreciate your input Zak.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

Ok, so to clarify. What Credentials are used when a User is sent to the Web Login? Do you have an External Operator Server configured? with Translations Rules? Just trying to narrow down my thoughts. 

Pre-auth is set as follows.

Ok, I have another clarifying question to get us on the same page.

In your "Web Login" Settings. What is your "Pre-Auth Check" Setting?

164 is the service that is actually used for the Portal logins and 165 is just for logging into the Guest application itself as I understand it, so my wifi users will never hit service 165. The only time I see 165 in the access tracker is when a member of staff logis in to register a personal Guest device such as a chromecast.

We do not permit guests to self register so I don't see how the service 165 would come into play for a wifi guest. I think this may be where my confusion is coming from. I don't understand how the service 165 relates to clients on the GUEST WLAN. Are you saying that it should be used somehow? 

 Our Guest network is a little odd in that we have one guest account that resides in our Active Directory and all Guest users are given the username and password for that account. (a really bad idea! i know) The issue is that we also allow staff to use the GUEST network and use their AD credentials to logon.

So, when a user connects to the GUEST SSID, if their MAC is not cached, they are sent to the portal to logon. Our Portal page is set up in the "Web Logins" section of the ClearPass Guest Configuration as opposed to the "Self-Registrations" section.

When the users completes the Web Login, tips roles are derived based on AD group memberships and enforcement profiles assigned according to the tips role.

For authentication sources on service 164, we use our AD.

The Auth Methods configured on 164 are PAP, CHAP, MSCHAP & MSCHAPv2.

In the access tracker, Every logon that I see using service 164 is using PAP.  My thought was that somewhere in that Web Login page config it would specify the authentication method but there is no such setting that I can see.

I hope that this attempt at explaining our setup clarifies some things.

Also, I really want to say that I very much appreciate your input Zak.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

I don't know of any credential that would be used to send the user to the web login page. Doesn't that just happen as an http redirect?

I had always assumed that this was accomplished by the AP's Default user-role for the SSID. ie. when the client first connects the Guest-logon role is applied and based on that the client is redirected to the Web login page. 

As for an external operator server, the answer is no. As I understand it my deployment consists of 

1. the Access Point
2. the web login page within clearpass guest
3. the Clearpass RADIUS server and policy manager.
4. the AD domain controller on which the user accounts are found.

The only thing I see as "external" is in the SSID config on the AP where the Captive portal is configured as external. ie ClearPass Guest.

Ok, so to clarify. What Credentials are used when a User is sent to the Web Login? Do you have an External Operator Server configured? with Translations Rules? Just trying to narrow down my thoughts. 

Pre-auth is set as follows.

Ok, I have another clarifying question to get us on the same page.

In your "Web Login" Settings. What is your "Pre-Auth Check" Setting?

164 is the service that is actually used for the Portal logins and 165 is just for logging into the Guest application itself as I understand it, so my wifi users will never hit service 165. The only time I see 165 in the access tracker is when a member of staff logis in to register a personal Guest device such as a chromecast.

We do not permit guests to self register so I don't see how the service 165 would come into play for a wifi guest. I think this may be where my confusion is coming from. I don't understand how the service 165 relates to clients on the GUEST WLAN. Are you saying that it should be used somehow? 

 Our Guest network is a little odd in that we have one guest account that resides in our Active Directory and all Guest users are given the username and password for that account. (a really bad idea! i know) The issue is that we also allow staff to use the GUEST network and use their AD credentials to logon.

So, when a user connects to the GUEST SSID, if their MAC is not cached, they are sent to the portal to logon. Our Portal page is set up in the "Web Logins" section of the ClearPass Guest Configuration as opposed to the "Self-Registrations" section.

When the users completes the Web Login, tips roles are derived based on AD group memberships and enforcement profiles assigned according to the tips role.

For authentication sources on service 164, we use our AD.

The Auth Methods configured on 164 are PAP, CHAP, MSCHAP & MSCHAPv2.

In the access tracker, Every logon that I see using service 164 is using PAP.  My thought was that somewhere in that Web Login page config it would specify the authentication method but there is no such setting that I can see.

I hope that this attempt at explaining our setup clarifies some things.

Also, I really want to say that I very much appreciate your input Zak.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

I suppose I am still missing some details - difficult setup to review in a forum. 

At what point or which registration / Captive Portal process do you allow employee's use their AD Creds. 

Generally speaking , AD authentication on a CPPM Guest hosted Web Login or Registration, would use a CPPM Policy Manger with an Application based service, not RADIUS. 

I don't know of any credential that would be used to send the user to the web login page. Doesn't that just happen as an http redirect?

I had always assumed that this was accomplished by the AP's Default user-role for the SSID. ie. when the client first connects the Guest-logon role is applied and based on that the client is redirected to the Web login page. 

As for an external operator server, the answer is no. As I understand it my deployment consists of 

1. the Access Point
2. the web login page within clearpass guest
3. the Clearpass RADIUS server and policy manager.
4. the AD domain controller on which the user accounts are found.

The only thing I see as "external" is in the SSID config on the AP where the Captive portal is configured as external. ie ClearPass Guest.

Ok, so to clarify. What Credentials are used when a User is sent to the Web Login? Do you have an External Operator Server configured? with Translations Rules? Just trying to narrow down my thoughts. 

Pre-auth is set as follows.

Ok, I have another clarifying question to get us on the same page.

In your "Web Login" Settings. What is your "Pre-Auth Check" Setting?

164 is the service that is actually used for the Portal logins and 165 is just for logging into the Guest application itself as I understand it, so my wifi users will never hit service 165. The only time I see 165 in the access tracker is when a member of staff logis in to register a personal Guest device such as a chromecast.

We do not permit guests to self register so I don't see how the service 165 would come into play for a wifi guest. I think this may be where my confusion is coming from. I don't understand how the service 165 relates to clients on the GUEST WLAN. Are you saying that it should be used somehow? 

 Our Guest network is a little odd in that we have one guest account that resides in our Active Directory and all Guest users are given the username and password for that account. (a really bad idea! i know) The issue is that we also allow staff to use the GUEST network and use their AD credentials to logon.

So, when a user connects to the GUEST SSID, if their MAC is not cached, they are sent to the portal to logon. Our Portal page is set up in the "Web Logins" section of the ClearPass Guest Configuration as opposed to the "Self-Registrations" section.

When the users completes the Web Login, tips roles are derived based on AD group memberships and enforcement profiles assigned according to the tips role.

For authentication sources on service 164, we use our AD.

The Auth Methods configured on 164 are PAP, CHAP, MSCHAP & MSCHAPv2.

In the access tracker, Every logon that I see using service 164 is using PAP.  My thought was that somewhere in that Web Login page config it would specify the authentication method but there is no such setting that I can see.

I hope that this attempt at explaining our setup clarifies some things.

Also, I really want to say that I very much appreciate your input Zak.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

Agreed. troubleshooting this in the forum has its limitations for sure. 

I think at this point I will open a case with TAC and perhaps do a zoom call to walk them through the configuration.

If I get a solution from them I will be sure to update this thread.

Thanks for all of your help Zak.

I suppose I am still missing some details - difficult setup to review in a forum. 

At what point or which registration / Captive Portal process do you allow employee's use their AD Creds. 

Generally speaking , AD authentication on a CPPM Guest hosted Web Login or Registration, would use a CPPM Policy Manger with an Application based service, not RADIUS. 

I don't know of any credential that would be used to send the user to the web login page. Doesn't that just happen as an http redirect?

I had always assumed that this was accomplished by the AP's Default user-role for the SSID. ie. when the client first connects the Guest-logon role is applied and based on that the client is redirected to the Web login page. 

As for an external operator server, the answer is no. As I understand it my deployment consists of 

1. the Access Point
2. the web login page within clearpass guest
3. the Clearpass RADIUS server and policy manager.
4. the AD domain controller on which the user accounts are found.

The only thing I see as "external" is in the SSID config on the AP where the Captive portal is configured as external. ie ClearPass Guest.

Ok, so to clarify. What Credentials are used when a User is sent to the Web Login? Do you have an External Operator Server configured? with Translations Rules? Just trying to narrow down my thoughts. 

Pre-auth is set as follows.

Ok, I have another clarifying question to get us on the same page.

In your "Web Login" Settings. What is your "Pre-Auth Check" Setting?

164 is the service that is actually used for the Portal logins and 165 is just for logging into the Guest application itself as I understand it, so my wifi users will never hit service 165. The only time I see 165 in the access tracker is when a member of staff logis in to register a personal Guest device such as a chromecast.

We do not permit guests to self register so I don't see how the service 165 would come into play for a wifi guest. I think this may be where my confusion is coming from. I don't understand how the service 165 relates to clients on the GUEST WLAN. Are you saying that it should be used somehow? 

 Our Guest network is a little odd in that we have one guest account that resides in our Active Directory and all Guest users are given the username and password for that account. (a really bad idea! i know) The issue is that we also allow staff to use the GUEST network and use their AD credentials to logon.

So, when a user connects to the GUEST SSID, if their MAC is not cached, they are sent to the portal to logon. Our Portal page is set up in the "Web Logins" section of the ClearPass Guest Configuration as opposed to the "Self-Registrations" section.

When the users completes the Web Login, tips roles are derived based on AD group memberships and enforcement profiles assigned according to the tips role.

For authentication sources on service 164, we use our AD.

The Auth Methods configured on 164 are PAP, CHAP, MSCHAP & MSCHAPv2.

In the access tracker, Every logon that I see using service 164 is using PAP.  My thought was that somewhere in that Web Login page config it would specify the authentication method but there is no such setting that I can see.

I hope that this attempt at explaining our setup clarifies some things.

Also, I really want to say that I very much appreciate your input Zak.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

The RADIUS traffic between your switch/AP/controller and ClearPass should run over a secure path. RADIUS is an old protocol with lack of proper encryption/security, which isn't really an issue if the traffic only flows over links that are considered secure (no snooping/injection). If you can't secure the links, you may have a look ad RadSec, which requires certificates to operate and securely encapsulates the RADIUS traffic within a TLS tunnel.

Also, moving from PAP to CHAP or MS-CHAP is probably ineffective as the security (CHAP even more than MS-CHAP) are based on obsolete security (MD4/MD5), which was fine at the time the protocol was developed, but not anymore for the last 20 years or so. While it sounds that it is much more secure, it isn't really, and if it isn't really, it's probably better to leave it as-is so you know it's insecure.

Also, for CHAP/MS-CHAP, you would need to have access to the user's password (or a specific hash, derived value of it), where for PAP you can just check the password with the identity store. For MSCHAPv2 you would need access to the so-called NTHash, which can be checked only if you join ClearPass to the domain (for AD accounts).

So there may be things possible, it depends what you gain with it and how much actual security improvement it provides.

Agreed. troubleshooting this in the forum has its limitations for sure. 

I think at this point I will open a case with TAC and perhaps do a zoom call to walk them through the configuration.

If I get a solution from them I will be sure to update this thread.

Thanks for all of your help Zak.

I suppose I am still missing some details - difficult setup to review in a forum. 

At what point or which registration / Captive Portal process do you allow employee's use their AD Creds. 

Generally speaking , AD authentication on a CPPM Guest hosted Web Login or Registration, would use a CPPM Policy Manger with an Application based service, not RADIUS. 

I don't know of any credential that would be used to send the user to the web login page. Doesn't that just happen as an http redirect?

I had always assumed that this was accomplished by the AP's Default user-role for the SSID. ie. when the client first connects the Guest-logon role is applied and based on that the client is redirected to the Web login page. 

As for an external operator server, the answer is no. As I understand it my deployment consists of 

1. the Access Point
2. the web login page within clearpass guest
3. the Clearpass RADIUS server and policy manager.
4. the AD domain controller on which the user accounts are found.

The only thing I see as "external" is in the SSID config on the AP where the Captive portal is configured as external. ie ClearPass Guest.

Ok, so to clarify. What Credentials are used when a User is sent to the Web Login? Do you have an External Operator Server configured? with Translations Rules? Just trying to narrow down my thoughts. 

Pre-auth is set as follows.

Ok, I have another clarifying question to get us on the same page.

In your "Web Login" Settings. What is your "Pre-Auth Check" Setting?

164 is the service that is actually used for the Portal logins and 165 is just for logging into the Guest application itself as I understand it, so my wifi users will never hit service 165. The only time I see 165 in the access tracker is when a member of staff logis in to register a personal Guest device such as a chromecast.

We do not permit guests to self register so I don't see how the service 165 would come into play for a wifi guest. I think this may be where my confusion is coming from. I don't understand how the service 165 relates to clients on the GUEST WLAN. Are you saying that it should be used somehow? 

 Our Guest network is a little odd in that we have one guest account that resides in our Active Directory and all Guest users are given the username and password for that account. (a really bad idea! i know) The issue is that we also allow staff to use the GUEST network and use their AD credentials to logon.

So, when a user connects to the GUEST SSID, if their MAC is not cached, they are sent to the portal to logon. Our Portal page is set up in the "Web Logins" section of the ClearPass Guest Configuration as opposed to the "Self-Registrations" section.

When the users completes the Web Login, tips roles are derived based on AD group memberships and enforcement profiles assigned according to the tips role.

For authentication sources on service 164, we use our AD.

The Auth Methods configured on 164 are PAP, CHAP, MSCHAP & MSCHAPv2.

In the access tracker, Every logon that I see using service 164 is using PAP.  My thought was that somewhere in that Web Login page config it would specify the authentication method but there is no such setting that I can see.

I hope that this attempt at explaining our setup clarifies some things.

Also, I really want to say that I very much appreciate your input Zak.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

Agreed. troubleshooting this in the forum has its limitations for sure. 

I think at this point I will open a case with TAC and perhaps do a zoom call to walk them through the configuration.

If I get a solution from them I will be sure to update this thread.

Thanks for all of your help Zak.

I suppose I am still missing some details - difficult setup to review in a forum. 

At what point or which registration / Captive Portal process do you allow employee's use their AD Creds. 

Generally speaking , AD authentication on a CPPM Guest hosted Web Login or Registration, would use a CPPM Policy Manger with an Application based service, not RADIUS. 

I don't know of any credential that would be used to send the user to the web login page. Doesn't that just happen as an http redirect?

I had always assumed that this was accomplished by the AP's Default user-role for the SSID. ie. when the client first connects the Guest-logon role is applied and based on that the client is redirected to the Web login page. 

As for an external operator server, the answer is no. As I understand it my deployment consists of 

1. the Access Point
2. the web login page within clearpass guest
3. the Clearpass RADIUS server and policy manager.
4. the AD domain controller on which the user accounts are found.

The only thing I see as "external" is in the SSID config on the AP where the Captive portal is configured as external. ie ClearPass Guest.

Ok, so to clarify. What Credentials are used when a User is sent to the Web Login? Do you have an External Operator Server configured? with Translations Rules? Just trying to narrow down my thoughts. 

Pre-auth is set as follows.

Ok, I have another clarifying question to get us on the same page.

In your "Web Login" Settings. What is your "Pre-Auth Check" Setting?

164 is the service that is actually used for the Portal logins and 165 is just for logging into the Guest application itself as I understand it, so my wifi users will never hit service 165. The only time I see 165 in the access tracker is when a member of staff logis in to register a personal Guest device such as a chromecast.

We do not permit guests to self register so I don't see how the service 165 would come into play for a wifi guest. I think this may be where my confusion is coming from. I don't understand how the service 165 relates to clients on the GUEST WLAN. Are you saying that it should be used somehow? 

 Our Guest network is a little odd in that we have one guest account that resides in our Active Directory and all Guest users are given the username and password for that account. (a really bad idea! i know) The issue is that we also allow staff to use the GUEST network and use their AD credentials to logon.

So, when a user connects to the GUEST SSID, if their MAC is not cached, they are sent to the portal to logon. Our Portal page is set up in the "Web Logins" section of the ClearPass Guest Configuration as opposed to the "Self-Registrations" section.

When the users completes the Web Login, tips roles are derived based on AD group memberships and enforcement profiles assigned according to the tips role.

For authentication sources on service 164, we use our AD.

The Auth Methods configured on 164 are PAP, CHAP, MSCHAP & MSCHAPv2.

In the access tracker, Every logon that I see using service 164 is using PAP.  My thought was that somewhere in that Web Login page config it would specify the authentication method but there is no such setting that I can see.

I hope that this attempt at explaining our setup clarifies some things.

Also, I really want to say that I very much appreciate your input Zak.

It's hard for me to tell exactly the AAA Flow that #164 serves - I would imagine it is for the MAC Cache related process. 

From what I see here #165 is the Service that serves Captive Portal Page Logons - which should include an Enforcement of a specific Guest Operator Profile. 

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.

I believe so.

Perhaps I am misinterpreting your reply here; please excuse me if I am; but the Guest Operator service is not what I am concerned about. My concern is service #164 using PAP.

These are the services that relate to the Guest WLAN. 

#164 is the service that relates to the Web Logon page.  The auth methods in the service should allow for MS-Chap but PAP is what is always used.

My feeling is that I need to change something in either the configuration of the SSID or the Web Logon page in ClearPass Guest.

Ok, have you configured a Guest Operator Service in Policy Manager? An Aruba Application Service for Guest, with the appropriate Enforcement Logic and Profiles?

The SSID is open. Actually the security level in the Aruba Central is for visitor.

We prompt for credentials at the web logon page. ie.  https://clearpass_url/guest/guestlogon.php

Original Message:
Sent: Mar 12, 2024 02:42 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

So do you have configuration for SSID WPA2-AES and RADIUS? or are you prompting for credentials at the Login/Registration Page? 

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:31 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Thanks 802.zak

Yes MAC Caching is used but I'm more concerned about the logons where the client uses the web logon page. We Permit users to use their AD credentials and I have concerns about using PAP for these logons. I was hoping that MS-CHAP might be an alternative. I will definitely check out Herman's video. I have found his videos to be very helpful in the past. Kudos to Herman!

Original Message:
Sent: Mar 12, 2024 02:18 PM
From: 802.zak
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

Are you referring to a MAC Caching Service in Policy Manager?

As a starting place, Herman put together a great video series a couple of years ago. CPPM Guest Series

------------------------------
If my post was useful, please Accept Solution and Give Kudos.
------------------------------
Zak Chalupka
Principal Engineer - HPE Aruba
ACDX | ACMP | ACSP | ACCP
wifizak@hpe.com
------------------------------
Ideas expressed here are solely my own and not necessarily that of HPE Aruba.

Original Message:
Sent: Mar 12, 2024 02:02 PM
From: Tpelley
Subject: Clearpass Guest Captive Portal - Does it have to use PAP ?

When I configure ClearPass Guest web logon pages for captive portal guest access, it seems that the default auth method is PAP. Unless I'm missing something, there does not seem to be any way of changing this so I'm Just wondering if there is a more secure authentication method than PAP for the ClearPass Guest captive portal web logon.

If there is can somebody point me in the direction of some documentation to set it up

Thanks in advance.

.