It's a good point that ECC will be defaulted in the newer versions of clearpass so if you're using RSA, you should disable the ECC HTTPS certificate
Original Message:
Sent: Mar 14, 2023 05:09 AM
From: Herman Robers
Subject: ClearPass Wired Guest Not Redirecting to Splash page
I don't see any class for Web-Traffic_AOS_DUR_Client_Guest-3034-24. And if it's not there, there will be no redirect. It probably should be something like: 10 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 80
If this does not solve the issue, it may be better to open a support ticket to have a look at the error messages. Those suggest there is a problem with a certificate, where I think it may have to do with a ECC or RSA certificate mismatch but not fully sure where.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 09, 2023 06:45 PM
From: Vinshinkel
Subject: ClearPass Wired Guest Not Redirecting to Splash page
Hello Herman,
I've added the port-access command and some new information below:
After adding the IP address on Vlan 222 I started getting a new error message BUT it would attempt to redirect error message is below the port-access output.
Show port-access client detail
Downloaded user roles are preceded by *
User Role Information
Name : *AOS_DUR_Client_Guest-3034-24
Type : downloaded
Reauthentication Period (seconds) : 0
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN : 222
Tagged VLANs :
Captive Portal Profile : use-radius-vsa_AOS_DUR_Client_Guest-3034-24
URL : https://guest.client/guest/wired-guest.php
Policy : ClearPass-Redirect_AOS_DUR_Client_Guest-3034-24
Statements for policy "ClearPass-Redirect_AOS_DUR_Client_Guest-3034-24"
policy user "ClearPass-Redirect_AOS_DUR_Client_Guest-3034-24"
10 class ipv4 "DNS_AOS_DUR_Client_Guest-3034-24" action permit
20 class ipv4 "DHCP_AOS_DUR_Client_Guest-3034-24" action permit
30 class ipv4 "ClearPass-Web_AOS_DUR_Client_Guest-3034-24" action permit
40 class ipv4 "Web-Traffic_AOS_DUR_Client_Guest-3034-24" action redirect captive-portal
exit
Statements for class IPv4 "DNS_AOS_DUR_Client_Guest-3034-24"
class ipv4 "DNS_AOS_DUR_Client_Guest-3034-24"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
20 match tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 53
exit
Statements for class IPv4 "DHCP_AOS_DUR_Client_Guest-3034-24"
class ipv4 "DHCP_AOS_DUR_Client_Guest-3034-24"
10 match udp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 67
exit
Statements for class IPv4 "ClearPass-Web_AOS_DUR_Client_Guest-3034-24"
class ipv4 "ClearPass-Web_AOS_DUR_Client_Guest-3034-24"
10 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Publisher) 0.0.0.0 eq 80
20 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Publisher) 0.0.0.0 eq 443
30 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Subscriber) 0.0.0.0 eq 80
40 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (Subscriber) 0.0.0.0 eq 443
50 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (VIP) 0.0.0.0 eq 80
60 match tcp 0.0.0.0 255.255.255.255 10.24.x.x (VIP) 0.0.0.0 eq 443
exit
--------------------------------------------------------------------------ERROR MESSAGE--------------------------------------------------------------------------------------------------------
0030:00:57:35.18 DFP mdevMntr:DFP: parsed the HTTP User Agent 3
0030:00:57:35.16 SSL tCaptivePortalHttpd:ERR_SSL_BAD_ID
0030:00:57:35.16 SSL tCaptivePortalHttpd:SSL_closeConnection() returns status =
0030:00:57:35.16 SSL tCaptivePortalHttpd:0
0030:00:57:35.16 SSL tCaptivePortalHttpd:SSL_closeConnection() from AppType:
0030:00:57:35.16 SSL tCaptivePortalHttpd:1
0030:00:57:35.16 SSL tCaptivePortalHttpd:SSL_closeConnection() from AppType:
0030:00:57:35.16 SSL tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL tCaptivePortalHttpd:SSL_negotiateConnection() returns
status =
0030:00:57:35.16 SSL tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL tCaptivePortalHttpd:SSL:doProtocol() returns status =
0030:00:57:35.16 SSL tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
-- MORE --, next page: Space, next line: Enter, quit: Control-C0030:00:57:35.16 SSL tCaptivePortalHttpd:SSL_SOCK_receive() returns status =
0030:00:57:35.16 SSL tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL tCaptivePortalHttpd:SSL_SOCK_serverHandshake() returns
status =
0030:00:57:35.16 SSL tCaptivePortalHttpd:
0030:00:57:35.16 SSL tCaptivePortalHttpd:.
0030:00:57:35.16 SSL tCaptivePortalHttpd:0
0030:00:57:35.16 SSL tCaptivePortalHttpd:Resume state =
0030:00:57:35.16 SSL tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL tCaptivePortalHttpd:sslHelloStateMachine() returns status
=
0030:00:57:35.16 SSL tCaptivePortalHttpd:ERR_SSL_NO_CIPHER_MATCH
0030:00:57:35.16 SSL tCaptivePortalHttpd:processClientHello3() returns status =
0030:00:57:35.16 SSL tCaptivePortalHttpd:
0030:00:57:35.16 SSL tCaptivePortalHttpd:
0030:00:57:35.16 SSL tCaptivePortalHttpd:00000000
0030:00:57:35.16 SSL tCaptivePortalHttpd:Incompatible EC curves returned by
SSL_setServerCert:
0030:00:57:35.16 SSL tCaptivePortalHttpd:
0030:00:57:35.16 SSL tCaptivePortalHttpd:
0030:00:57:35.16 SSL tCaptivePortalHttpd:14
0030:00:57:35.16 SSL tCaptivePortalHttpd:c0
0030:00:57:35.16 SSL tCaptivePortalHttpd:SSLSOCK_selectCipherSuiteV3:
CipherSuite selected = 0x
0030:00:57:35.16 SSL tCaptivePortalHttpd:
Original Message:
Sent: Mar 08, 2023 03:33 AM
From: Herman Robers
Subject: ClearPass Wired Guest Not Redirecting to Splash page
please paste the output of "show port-access client detail" when the client is connected (and captive portal should be shown) to see what is actually applied to the port.
Do you have an IP on the switch interface vlan 222? If not, can you try to add that?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Mar 03, 2023 07:43 PM
From: Vinshinkel
Subject: ClearPass Wired Guest Not Redirecting to Splash page
Sorry just wanting to verify are you saying you believe I should REMOVE the https:// from in front of my redirection URL or I should put it in front of the URL because in the post I made it shows with https:// in front of the URL.
Original Message:
Sent: Mar 03, 2023 04:52 PM
From: ariyap
Subject: ClearPass Wired Guest Not Redirecting to Splash page
I think you should add https:// in front of your redirection URL.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Mar 03, 2023 04:35 PM
From: Vinshinkel
Subject: ClearPass Wired Guest Not Redirecting to Splash page
class ipv4 DNS
match udp any any eq 53
match tcp any any eq 53
exit
class ipv4 DHCP
match udp any any eq 67
exit
class ipv4 Web-Traffic
match tcp any any eq 80
match tcp any any eq 443
exit
aaa authentication captive-portal profile use-radius-vsa url https://guest.client.com/guest/wired-guest.php
class ipv4 ClearPass-Web
match tcp any host ClearPass IP1 eq 80
match tcp any host ClearPass IP1 443
match tcp any host ClearPass IP2 eq 80
match tcp any host ClearPass IP2 eq 443
match tcp any host ClearPass IP VIP eq 80
match tcp any host ClearPass IP VIP eq 443
exit
policy user ClearPass-Redirect
class ipv4 DNS action permit
class ipv4 DHCP action permit
class ipv4 ClearPass-Web action permit
class ipv4 Web-Traffic action redirect captive-portal
exit
aaa authorization user-role name Guest
policy ClearPass-Redirect
captive-portal-profile use-radius-vsa
vlan-id 222
exit
Original Message:
Sent: Mar 03, 2023 03:26 PM
From: ariyap
Subject: ClearPass Wired Guest Not Redirecting to Splash page
please paste the output of "show port-access client detail"
or paste the details of DUR enforcement profile.
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Mar 03, 2023 10:26 AM
From: Vinshinkel
Subject: ClearPass Wired Guest Not Redirecting to Splash page
Yes, if I type it into the browser it opens which is why I'm confused it's seems like everything is correct, but just the redirect isn't happening which of course breaks it. I haven't configured the guest auth portion yet I don't think that should matter, but just in case I want to let it be known.
Original Message:
Sent: Mar 03, 2023 10:07 AM
From: ulises.cazares
Subject: ClearPass Wired Guest Not Redirecting to Splash page
Hi, if you type the captive portal address directly in the client browser can you open it? May be there is an ACL blocking that access.
I hope this helps
Original Message:
Sent: Mar 03, 2023 09:47 AM
From: Vinshinkel
Subject: ClearPass Wired Guest Not Redirecting to Splash page
It's AOS-S
Aruba JL076A 3810M-40G-8SR-PoE+-1-slot Switch
Software revision KB.16.11.0008
Original Message:
Sent: Mar 02, 2023 11:23 PM
From: ariyap
Subject: ClearPass Wired Guest Not Redirecting to Splash page
is this for a CX switch or AOS-S? which model number?
------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
Original Message:
Sent: Mar 02, 2023 08:47 PM
From: Vinshinkel
Subject: ClearPass Wired Guest Not Redirecting to Splash page
Has anyone ever setup a wired guest page just using a EULA and not a self registration? I'm having an issue where while I don't receive any errors from ClearPass or from the logs in the Aruba switch I don't get redirected to the Splash page. I get an Valid IP address, DNS, Gateway, an accept in access tracker for the enforcement and I can see the switch downloaded the user role from a "show port-access client", but it just doesn't redirect me to the splash page.