Is this an older AireOS controller? The access-list logic is a little different on the Cisco side between the older Airespace derived product vs the latest controllers where the preauth ACL is actually more of redirect ACL rather than an allow/block ACL in the traditional sense.
Its been awhile since I set up guest portals on older Cisco equipment, but I have worked this recently on newer kit.
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
Original Message:
Sent: Aug 22, 2023 07:23 AM
From: athan
Subject: CLear pass guest portal WLC
Thakns @Herman Robers on the controller I have these accest-list .
I am keeping an eye on a person who set up the access-list in another post.
Original Message:
Sent: Aug 22, 2023 07:09 AM
From: Herman Robers
Subject: CLear pass guest portal WLC
If cor.quironsalud.es is your ClearPass server, and wifipacientes.quironsalud.es is the certificate installed on your controller, then the controller is intercepting the traffic to ClearPass. You should exclude the traffic to your ClearPass from captive portal, and while unsure how that works on Cisco, on many other devices there is an ACL that configures what traffic needs to be intercepted/redirected and what should be allowed through (like traffic to ClearPass).
As this seems to take a long time, it may be good to work either with your Cisco partner, or with Cisco TAC. Aruba TAC may also be able to help you, but as it now seems that traffic destined for ClearPass is redirected by the controller, Cisco may be the best place to ask the question first (how to make sure that HTTPS to ClearPass is exempted from redirect).
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Aug 22, 2023 06:10 AM
From: athan
Subject: CLear pass guest portal WLC
Hi @Herman Robers I swaped the certificates . Same error:
Page in blank for the new devices
.
Original Message:
Sent: Jul 20, 2023 04:51 AM
From: Herman Robers
Subject: CLear pass guest portal WLC
I'm not sure how that works in Cisco. In Aruba the controller will intercept the DNS requests and respond by itself, not sure if Cisco does the same. On Aruba that DNS intercept only works if you are connected to the guest network and the captive portal is active. It may be needed to add that IP to the DNS indeed, and probably it won't hurt if it's not needed. However, if this worked before with a wildcard, the controller probably responds to the DNS requests similar like in Aruba. Just make sure you test this from a client connected to the guest network, before it's authenticated.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 20, 2023 03:36 AM
From: athan
Subject: CLear pass guest portal WLC
Hi @Herman Robers
firstly, I want to thank you for your assistance.
I think I understand your solution, so I'll add the Corp. Quironsalud.es certificate in the clear pass
On the WLC wifipacientes .quironsalud.es
I have a question about wifipacientes.com dns resolution. I don't have access to my customer's domain controller, but I have to explain to you how you might succeed
if you see wifi pacientes doesn't resolve anything . My customer will have to my customer he will to do a entrance in your dns domain
for example :
wifipacientes.quironsalud.es
name :wifipacientes.quironsalud.es
Address: 192.0.2.1 (ip virtual controller)
It is correct?
Original Message:
Sent: Jul 17, 2023 03:34 AM
From: Herman Robers
Subject: CLear pass guest portal WLC
Both controller and ClearPass should have a certificate that matches the name registered in DNS. When you have wildcard certificate, it does not matter where you install the certificate, as it is the same.
If in DNS, cor.quironsalud.es points to ClearPass, then you need to install the certificate for that FQDN on ClearPass. If I check the screenshots, you seem to have swapped the certificates, so installed the certificate for ClearPass on the controller and the one for the controller to ClearPass, and then you will see indeed certificate warnings if the DNS name does not match the certificate that you installed.
You can't have the same (single name) certificate on controller and ClearPass, because your client needs to communicate to both ClearPass and the Controller, and that will need to have different IP addresses, and because of that also different DNS name/FQDN.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 14, 2023 04:16 AM
From: athan
Subject: CLear pass guest portal WLC
Hi
@Herman Robers
I try to comprehend what you're saying.
so
I must swap the certificates in order to successfully isn't it ?
Do you believe it would be effective to swap the certificates?
If you can see the DNS resolution for Corp. Quironsalud.es, it resolves the ip clear pass.
Do you think WiFi Pacientes will need to resolve the WL Controller's name or virtual IP address if it appears that nothing is resolved? alternatively it is not required if I place the wifi.pacientes on this clear pass in this part
One question more
What will happen if I use the same certificate, wifipacientes.quironsalud.es, on both ( clear pass and wlc) the side controller and the unique certificate?
Original Message:
Sent: Jul 13, 2023 11:44 AM
From: Herman Robers
Subject: CLear pass guest portal WLC
Think you mixed up the names...
from the last screenshot cor.quironsalud.es should be the ClearPass, but the controller screenshot shows it's installed there.
Same the screenshot where you see ClearPass (cor.quironsalud.ed), the certificate is wifipacientes.
If you swap the certifcates, you may be in a better shape.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jul 13, 2023 05:45 AM
From: athan
Subject: CLear pass guest portal WLC
I'm making an effort to resolve this issue.
Pass using WLC Cisco Guest Portal Mac Cahing, the issue is obvious.
My customer had a wilcard certificate initially, but the business thought it was insecure and opted to replace it with a uniq certificate.
Previously, everything operated smoothly with the Wilcard certificate.
Before the change in certificates, the old devaic was registered, and it functions properly.
When a new device attempts to connect, a blank page appear