Security

1. {$gsr_metadata.register_page|rawurlencode}_login.php
2. byod_logon.php

The whole code looks as follows:

{if $gsr_metadata.nas_login.enabled}<p style="font-size:20px;">    Already have an account?  <a href="{$gsr_metadata.register_page|rawurlencode}_login.php">Sign In</a></p><p style="font-size:20px;">    You are an employee?  <a href="byod_logon.php">Sign In</a></p>{/if}

Now to my "problem":

If I use a login page which is not "associated" with the self-registration workflow, the controller will not be used as NAD and also the called station id will not be included in the radius request.
At the moment, I use the original <registrationpagename>_login.php login form, the controller will be used as NAD. Otherwise the clearpass server will be the NAD.

Primarily, this is not a problem, but after the authentication we can not use CoA to bounce the client.

If I add a second selfregistration workflow (with equal settings), and I use the original <registrationpagname>_login.php link from the second workflow as link at the first registration page, we run into the same behaviour.

This leads me to the thoughts, that the called station id / nas ip / essid name is stored into a cookie at the first redirect to the registration page and is getting lost if we add a link to a login page outside of the registration workflow.

Am I somehow correct?
And is there a way to pass on the NAD values to a secondary login page referenced to the registration landing page?

Thank you!
 

For Captive Portal authentication, the captive portal authentication profile that is attached the client's current role determines what server group is queried when the "logon" button is pressed.  For a client to click on a link to be authenticated to a different server, the client's role and captive portal authentication profile must be changed.  If I am even understanding your question...

1. {$gsr_metadata.register_page|rawurlencode}_login.php
2. byod_logon.php

The whole code looks as follows:

{if $gsr_metadata.nas_login.enabled}<p style="font-size:20px;">    Already have an account?  <a href="{$gsr_metadata.register_page|rawurlencode}_login.php">Sign In</a></p><p style="font-size:20px;">    You are an employee?  <a href="byod_logon.php">Sign In</a></p>{/if}

Now to my "problem":

If I use a login page which is not "associated" with the self-registration workflow, the controller will not be used as NAD and also the called station id will not be included in the radius request.
At the moment, I use the original <registrationpagename>_login.php login form, the controller will be used as NAD. Otherwise the clearpass server will be the NAD.

Primarily, this is not a problem, but after the authentication we can not use CoA to bounce the client.

If I add a second selfregistration workflow (with equal settings), and I use the original <registrationpagname>_login.php link from the second workflow as link at the first registration page, we run into the same behaviour.

This leads me to the thoughts, that the called station id / nas ip / essid name is stored into a cookie at the first redirect to the registration page and is getting lost if we add a link to a login page outside of the registration workflow.

Am I somehow correct?
And is there a way to pass on the NAD values to a secondary login page referenced to the registration landing page?

Thank you!
 

Hi,

on the self registration page, to which the user/browser will be redirected after associating with the open SSID, per default exists a link to the <regpagename>_login.php site.
In the case you got already an guest account, you can use the login site to login with your existing guest account.

That's the default setup delivered with clearpass guest ...

In that style, I was adding a second link to a dedicated login site which should be used to log on with an AD user.
This was done in the advanced editor of the self registration setup, in the Footer HTML field at the Register Page UI section:

The second link leads to that web login page:

If a user follows that link to the byod_logon.php site, which is not part of the self registration workflow and logs in - the clearpass server will be used as NAD.
Not the controller.

I try to pass on the NAD/called station etc... to thet secondary login page..

I hope this makes sense....

For Captive Portal authentication, the captive portal authentication profile that is attached the client's current role determines what server group is queried when the "logon" button is pressed.  For a client to click on a link to be authenticated to a different server, the client's role and captive portal authentication profile must be changed.  If I am even understanding your question...

1. {$gsr_metadata.register_page|rawurlencode}_login.php
2. byod_logon.php

The whole code looks as follows:

{if $gsr_metadata.nas_login.enabled}<p style="font-size:20px;">    Already have an account?  <a href="{$gsr_metadata.register_page|rawurlencode}_login.php">Sign In</a></p><p style="font-size:20px;">    You are an employee?  <a href="byod_logon.php">Sign In</a></p>{/if}

Now to my "problem":

If I use a login page which is not "associated" with the self-registration workflow, the controller will not be used as NAD and also the called station id will not be included in the radius request.
At the moment, I use the original <registrationpagename>_login.php login form, the controller will be used as NAD. Otherwise the clearpass server will be the NAD.

Primarily, this is not a problem, but after the authentication we can not use CoA to bounce the client.

If I add a second selfregistration workflow (with equal settings), and I use the original <registrationpagname>_login.php link from the second workflow as link at the first registration page, we run into the same behaviour.

This leads me to the thoughts, that the called station id / nas ip / essid name is stored into a cookie at the first redirect to the registration page and is getting lost if we add a link to a login page outside of the registration workflow.

Am I somehow correct?
And is there a way to pass on the NAD values to a secondary login page referenced to the registration landing page?

Thank you!
 

Hi,

on the self registration page, to which the user/browser will be redirected after associating with the open SSID, per default exists a link to the <regpagename>_login.php site.
In the case you got already an guest account, you can use the login site to login with your existing guest account.

That's the default setup delivered with clearpass guest ...

In that style, I was adding a second link to a dedicated login site which should be used to log on with an AD user.
This was done in the advanced editor of the self registration setup, in the Footer HTML field at the Register Page UI section:

The second link leads to that web login page:

If a user follows that link to the byod_logon.php site, which is not part of the self registration workflow and logs in - the clearpass server will be used as NAD.
Not the controller.

I try to pass on the NAD/called station etc... to thet secondary login page..

I hope this makes sense....

For Captive Portal authentication, the captive portal authentication profile that is attached the client's current role determines what server group is queried when the "logon" button is pressed.  For a client to click on a link to be authenticated to a different server, the client's role and captive portal authentication profile must be changed.  If I am even understanding your question...

1. {$gsr_metadata.register_page|rawurlencode}_login.php
2. byod_logon.php

The whole code looks as follows:

{if $gsr_metadata.nas_login.enabled}<p style="font-size:20px;">    Already have an account?  <a href="{$gsr_metadata.register_page|rawurlencode}_login.php">Sign In</a></p><p style="font-size:20px;">    You are an employee?  <a href="byod_logon.php">Sign In</a></p>{/if}

Now to my "problem":

If I use a login page which is not "associated" with the self-registration workflow, the controller will not be used as NAD and also the called station id will not be included in the radius request.
At the moment, I use the original <registrationpagename>_login.php login form, the controller will be used as NAD. Otherwise the clearpass server will be the NAD.

Primarily, this is not a problem, but after the authentication we can not use CoA to bounce the client.

If I add a second selfregistration workflow (with equal settings), and I use the original <registrationpagname>_login.php link from the second workflow as link at the first registration page, we run into the same behaviour.

This leads me to the thoughts, that the called station id / nas ip / essid name is stored into a cookie at the first redirect to the registration page and is getting lost if we add a link to a login page outside of the registration workflow.

Am I somehow correct?
And is there a way to pass on the NAD values to a secondary login page referenced to the registration landing page?

Thank you!
 

Yeah ... thats no problem.
The authentication is working.

But the authentication is not only go TO clearpass, but also comes FROM clearpass.

That means, ClearPass will send the enforcement profile to it self and not the controller.
To get traffic working, the users will have to manually reconnect their devices so that the mac auth service (mac caching) will push the enforcementprofile to the controller....

This is the point I try to resolve....

Hi,

on the self registration page, to which the user/browser will be redirected after associating with the open SSID, per default exists a link to the <regpagename>_login.php site.
In the case you got already an guest account, you can use the login site to login with your existing guest account.

That's the default setup delivered with clearpass guest ...

In that style, I was adding a second link to a dedicated login site which should be used to log on with an AD user.
This was done in the advanced editor of the self registration setup, in the Footer HTML field at the Register Page UI section:

The second link leads to that web login page:

If a user follows that link to the byod_logon.php site, which is not part of the self registration workflow and logs in - the clearpass server will be used as NAD.
Not the controller.

I try to pass on the NAD/called station etc... to thet secondary login page..

I hope this makes sense....

For Captive Portal authentication, the captive portal authentication profile that is attached the client's current role determines what server group is queried when the "logon" button is pressed.  For a client to click on a link to be authenticated to a different server, the client's role and captive portal authentication profile must be changed.  If I am even understanding your question...

1. {$gsr_metadata.register_page|rawurlencode}_login.php
2. byod_logon.php

The whole code looks as follows:

{if $gsr_metadata.nas_login.enabled}<p style="font-size:20px;">    Already have an account?  <a href="{$gsr_metadata.register_page|rawurlencode}_login.php">Sign In</a></p><p style="font-size:20px;">    You are an employee?  <a href="byod_logon.php">Sign In</a></p>{/if}

Now to my "problem":

If I use a login page which is not "associated" with the self-registration workflow, the controller will not be used as NAD and also the called station id will not be included in the radius request.
At the moment, I use the original <registrationpagename>_login.php login form, the controller will be used as NAD. Otherwise the clearpass server will be the NAD.

Primarily, this is not a problem, but after the authentication we can not use CoA to bounce the client.

If I add a second selfregistration workflow (with equal settings), and I use the original <registrationpagname>_login.php link from the second workflow as link at the first registration page, we run into the same behaviour.

This leads me to the thoughts, that the called station id / nas ip / essid name is stored into a cookie at the first redirect to the registration page and is getting lost if we add a link to a login page outside of the registration workflow.

Am I somehow correct?
And is there a way to pass on the NAD values to a secondary login page referenced to the registration landing page?

Thank you!