I was not completely correct ... The Aruba-Essid-Name and the client info will be passed on.
But not the NAD device infos (called station and so on)...
Original Message:
Sent: Sep 29, 2022 10:11 AM
From: Matthias Moritz
Subject: ClearPass Guest dedicated web logon page using clearpass server as NAS/NAD
Yeah ... thats no problem.
The authentication is working.
But the authentication is not only go TO clearpass, but also comes FROM clearpass.
------------------------------
Best regards, mom
Original Message:
Sent: Sep 29, 2022 09:59 AM
From: Colin Joseph
Subject: ClearPass Guest dedicated web logon page using clearpass server as NAS/NAD
I think so. With that setup, the authentication will ALWAYS go to clearpass, you just need to see which service is handling each authentication and determine what is different to handle it differently.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Sep 29, 2022 09:48 AM
From: Matthias Moritz
Subject: ClearPass Guest dedicated web logon page using clearpass server as NAS/NAD
Hi,
on the self registration page, to which the user/browser will be redirected after associating with the open SSID, per default exists a link to the <regpagename>_login.php site.
In the case you got already an guest account, you can use the login site to login with your existing guest account.
That's the default setup delivered with clearpass guest ...
In that style, I was adding a second link to a dedicated login site which should be used to log on with an AD user.
This was done in the advanced editor of the self registration setup, in the Footer HTML field at the Register Page UI section:
------------------------------
Best regards, mom
Original Message:
Sent: Sep 29, 2022 08:03 AM
From: Colin Joseph
Subject: ClearPass Guest dedicated web logon page using clearpass server as NAS/NAD
For Captive Portal authentication, the captive portal authentication profile that is attached the client's current role determines what server group is queried when the "logon" button is pressed. For a client to click on a link to be authenticated to a different server, the client's role and captive portal authentication profile must be changed. If I am even understanding your question...
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Sep 27, 2022 03:41 PM
From: Matthias Moritz
Subject: ClearPass Guest dedicated web logon page using clearpass server as NAS/NAD
Hi,
I try to ad a link to a dedicated web login page on the self registation page.
The custom login page uses Active Directory as auth source.
As a result, on the registration page we have two links.
- {$gsr_metadata.register_page|rawurlencode}_login.php
- byod_logon.php
The whole code looks as follows:
{if $gsr_metadata.nas_login.enabled}<p style="font-size:20px;"> Already have an account? <a href="{$gsr_metadata.register_page|rawurlencode}_login.php">Sign In</a></p><p style="font-size:20px;"> You are an employee? <a href="byod_logon.php">Sign In</a></p>{/if}
Now to my "problem":
If I use a login page which is not "associated" with the self-registration workflow, the controller will not be used as NAD and also the called station id will not be included in the radius request.
At the moment, I use the original <registrationpagename>_login.php login form, the controller will be used as NAD. Otherwise the clearpass server will be the NAD.
Primarily, this is not a problem, but after the authentication we can not use CoA to bounce the client.
If I add a second selfregistration workflow (with equal settings), and I use the original <registrationpagname>_login.php link from the second workflow as link at the first registration page, we run into the same behaviour.
This leads me to the thoughts, that the called station id / nas ip / essid name is stored into a cookie at the first redirect to the registration page and is getting lost if we add a link to a login page outside of the registration workflow.
Am I somehow correct?
And is there a way to pass on the NAD values to a secondary login page referenced to the registration landing page?
Thank you!
------------------------------
Best regards, mom
------------------------------