Not quite whats occurring at this point Adam. When authenticating with the current javascript in place, credentials are accepted and the access tracker logs a successful user connection. What happens at that point is a blank page as Wi-Fi connectivity isnt actually working. I agree that it's because the random MAC address thats being passed does not match that of the actual device. If I then turn off Wi-Fi for a moment, then enable it again, the device rejoins and connectivity is established, presumably when the correct MAC is processed.
Does this doc; https://d1okf4ta8xniw3.cloudfront.net/original/2X/f/fbdc2dcd332ea6f25ff6b26e7ef11017ae1d733c.pdf offer any useful info on how to query for the actual MAC presented by the client instead of generating a random one?
Original Message:
Sent: Dec 17, 2024 11:46 AM
From: Adam Newson
Subject: Guest Self Registration with Cambium AP
Thanks @Herman Robers.
I have since added some custom JavaScript* to the skin of the page applied within the guest web login. It was successful in that it re-directed to the Entra login portal without producing the error 'required field unavailable' after selecting the Entra login button on the initial captive portal. However, after submitting the credentials the captive portal page just loops back to the initial landing page with no specific error associated and no record within ClearPass access tracker - so no RADIUS request is being sent as of yet.
*the JS is adding a randomised MAC address to the URL when selecting the Entra login button on the landing page. I wonder if the consequence of not using the actual client MAC is causing the auth flow to fail later down the line?
Any thoughts as to why that loop might occur? I am going to move the JavaScript to the main web login page 'Header HTML' tomorrow and do some further testing, as I see in your previous comment regarding how adding the JavaScript to the skin means it'll be included in every page. Therefore, may be proving detrimental in this scenario?
Original Message:
Sent: Dec 09, 2024 05:57 AM
From: Herman Robers
Subject: Guest Self Registration with Cambium AP
It depends on where you need the Javascript. If you add it to the skin, it will be included in each page; probably adding it in the footer of one of the pages (where the issue starts, or the one before that point). As I don't know in which step of the workflow you see that error, it's hard to provide exact guidance.
Maybe your Aruba partner, or TAC is willing to have a look together with you?
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Dec 04, 2024 10:57 AM
From: Adam Newson
Subject: Guest Self Registration with Cambium AP
@Herman Robers Sorry to chase - do you have any further comments regarding my previous reply regarding the client MAC address in the URL, please?
Original Message:
Sent: Nov 18, 2024 06:53 AM
From: Herman Robers
Subject: Guest Self Registration with Cambium AP
I've seen this when the redirect doesn't include the client MAC address ( &mac=aa:bb:cc:dd:ee:ff ) in the redirect URL. Can you add that? If you can't add the client MAC address, you may try to add ?mac=00:00:00:00:00:00 to the redirect URL and see if the 'Required field unavailable' disappears. Some features may not work properly when the client's mac address is unavailable.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 14, 2024 10:56 AM
From: Adam Newson
Subject: Guest Self Registration with Cambium AP
@chulcher the issue regarding the initial re-direct is now working - I am successfully getting the captive portal now and can authenticate using pre-created guest accounts.
My issue is when selecting the Azure login button I get the 'Required Field Unavailable' - I do not get this on the Aruba solution.
Original Message:
Sent: Nov 14, 2024 10:21 AM
From: chulcher
Subject: Guest Self Registration with Cambium AP
What error message? The only one I'm seeing you mention is the "too many redirects" which is coming from the browser.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Nov 14, 2024 10:14 AM
From: Adam Newson
Subject: Guest Self Registration with Cambium AP
@Herman Robers - I have the solution working when using a pre-created guest account with the Cambium solution and the redirect works fine.
I also have the option on the captive portal for MS Azure logins - I have this working perfectly on a complete Aruba solution.
However, on the Cambium I get the 'Required Field Unavailable' when selecting the Azure icon. Previously I have fixed this by adding further netdestinations for the specific Cloud ID provider like Facebook etc. But I have an extensive list of these URLs allowed on the Cambium pre-auth/DNS settings. So I think this is probably separate issue and how the Cambium interacts with the Entra application. I have verified my Entra application/ web login on ClearPass for correct tenancy, client ID and secret. The application refers to a separate web login too to the Aruba portal, using a different redirect URL which is correctly referenced within the application. I have also created a separate 'Cambium - Entra' authentication source linked to the other application (not that it's getting this far yet).
I'm not getting much traction on any Cambium forums.
Do you have any further information which could be causing the captive portal error message on ClearPass?
Original Message:
Sent: Nov 05, 2024 08:45 AM
From: Herman Robers
Subject: Guest Self Registration with Cambium AP
In that case, try to add https:// in front of the clearpass.gmetrust.org/guest/guestwifi2.php to make it a full URL. It looks like the AP tries to redirect to a relative URL to the original captive portal test URL now, which makes the http://www.msftconnecttest.com/clearpass.gmetrust.org/guest/guestwifi2.php instead of https://clearpass.gmetrust.org/guest/guestwifi2.php
This process will continue forever, or at least till you see the 'too many redirects'.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Nov 04, 2024 10:27 AM
From: Adam Newson
Subject: Guest Self Registration with Cambium AP
The URL displayed on the client device is:
http://www.msftconnecttest.com/clearpass.gmetrust.org/guest/guestwifi2.php?ga_ssid=Guest-WiFi&ga_ap_mac=BC-A9-93-0A-F8-6E&ga_nas_id=F47-0AF86E&ga_srvr=eu-w1-guest.cloud.cambiumnetworks.com&ga_cmac=A4-02-B9-65-78-3B
I've also removed around 50 of the 'clearpass.gmetrust.org/guest' from the URL which was producing a 'too many redirects' error on the client - which may be a red herring.
I'm getting nothing on access tracker, in a pcap or traffic on the firewall. There are no restrictions in place to block anything such as this. I have the subnet of the Cambium APs in the ClearPass device list, with the correct secret.
ClearPass web login:
Cambium:
Original Message:
Sent: Oct 31, 2024 05:00 PM
From: chulcher
Subject: Guest Self Registration with Cambium AP
The "Submit URL" field defines where credentials are submitted by the client, that is an instruction sent from the captive portal to the client device to POST credentials. That is not the ClearPass URL, the URL needs to be built dynamically as outlined in my first response. Use the dynamic URL I provided, do not set a static.
"Extra Fields" are values that ClearPass is processing in the redirect from the AP, you shouldn't be specifying values as those will be read from the parameters in the URL. I have zero idea what those last two fields are supposed to be, I cobbled this together to deploy for one project about six years ago from someone else's proof of concept document.
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: Oct 31, 2024 04:37 PM
From: Adam Newson
Subject: Guest Self Registration with Cambium AP
@chulcher
Using your example for a ClearPass/ Cambium guest captive portal solution - are you able to elaborate on any of the following or if I am doing anything incorrectly. The screenshot looks slightly different - my guess this is a pre 6.11 release. I am running 6.11.9.
-I have the ClearPass FQDN in the submit method URL currently.
-In the extra fields I won't be able to populate the 'ga_ap_mac' or 'ga_nas_id' as this will be deployed to a building of APs. So I cannot specify either of these fields in reality. How necessary are they?
-Can you explain what 'ga_cmac' and 'ga_Qv' relate to and how necessary these fields are to be populated?
Thanks, Adam
Original Message:
Sent: May 14, 2024 04:02 PM
From: chulcher
Subject: Guest Self Registration with Cambium AP
http://{$extra_fields.ga_srvr}:880/cgi-bin/hotspot_login.cgi
You have to use a custom setup for the captive portal for the credentials to be submitted back to the correct AP. Make sure to populate the "Extra Fields" input with the required information. Note, the screenshot was setup against a single AP. Use the URL from above as the "Submit URL" so that the proper IP address gets used.
ga_ssid!=
ga_ap_mac!=
ga_nas_id!=
ga_srvr!=
ga_cmac!=
ga_Qv!=
------------------------------
Carson Hulcher, ACEX#110
Original Message:
Sent: May 14, 2024 03:47 PM
From: vovocals
Subject: Guest Self Registration with Cambium AP
Greetings
Has anyone been able to integrate cambium AP's with clearpass for Guest Self Registration?
Basically we have everything setup according however it appears there seems to be some issues but i have some questions to ask
We are using the IP address of the cambium AP on the guest self registration on clearpass and not the certificate FQDN as we have not introduced the certificate
The users can sign in with the clearpass ipaddress/guest/guestuser_3.php create a user and then login but cannot browse. We can see the user creation on manage account on clearpass and also see some audit on the audit viewer but nothing on the access tracker, so in my view this process in itself isn't communicating with the AP
We have everything setup properly in the cambium albeit we are not sure if we have the correct Postback URL of the cambium AP
What is the proper way for guest users to access the captive portal
1. Should it be the FQDN of the clearpass server /guest/guestuser_3.php
Or
2. Should it be the FQDN of the WLC /guest/guestuser_3.php
If we use step one we can access the captive portal
If we use step two we get a .404 error resource not found - Do we need to deactivate the securelogin.aruba.com
We tested the above using IP while we wait to get the ssl certificate
Please note that guestuser_3 is the guest self registration created on clearpass