Security

We allow self-registration using email for our guests. We've have a few reports that after registering their email, successfully receive the email confirmation, but get redirected to this page. As I understand it this is because the DNS 'hijack' is not processing correctly and the right IP address is not being returned to the client? Which ultimately redirects them back to the confirmation page, after the credentials have been passed to CPPM in the RADIUS request, and there is an access-accept. 

I had noticed that we had 'dynamic address' enabled which is not necessary as we're using a wildcard cert for our controller certificate and not have per controller certificates. Is there a chance enabling that setting could have caused the incorrect information to be passed back to the client during registration and ending up being returned captiveportal-login.controller.wireless.cam.ac.uk instead of the successful confirmation page we usually present to authenticated clients? 

The wildcard that you imported, is that for *.controller.wireless.cam.ac.uk? Note that the * in a wildcard just replaces a single level, so no subdomains.

You can check the actual name in use with the command 'show datapath fqdn' on the controller, and that is the name you should put in the 'Address' in ClearPass.

Further, your client has to be connected via the controller and needs to be in a role that has a captive portal redirect configured. One common mistake is to test a captive portal from your own laptop while connected to the normal network that you use to configure your controller/ClearPass/etc. If you are in a redirect/captive portal role, the controller will answer to the DNS request regardless to which DNS server the request is sent, but for that the request has to flow through the controller. Dynamic address switched off seems the correct setting.

Please let us know if that fixes your issue...

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 20, 2023 09:02 AM
From: AdamNewsonCU
Subject: Guest self-reg 'login'

We allow self-registration using email for our guests. We've have a few reports that after registering their email, successfully receive the email confirmation, but get redirected to this page. As I understand it this is because the DNS 'hijack' is not processing correctly and the right IP address is not being returned to the client? Which ultimately redirects them back to the confirmation page, after the credentials have been passed to CPPM in the RADIUS request, and there is an access-accept. 

I had noticed that we had 'dynamic address' enabled which is not necessary as we're using a wildcard cert for our controller certificate and not have per controller certificates. Is there a chance enabling that setting could have caused the incorrect information to be passed back to the client during registration and ending up being returned captiveportal-login.controller.wireless.cam.ac.uk instead of the successful confirmation page we usually present to authenticated clients?