Description
This article describes how to troubleshoot an iprope error encountered while using Aruba ClearPass for authentication.
Scope
FortiGate, Aruba/HP ClearPass server side.
Solution
- All of the configuration checks are based on Technical Tip: How to configure Clearpass as an external captive portal.
- The user is redirected to the login page and the page times out, giving an error after entering the user credentials:
- Use the following POST URL IP and respective port to run a flow trace debug:
For example: use IP 192.168.10.1 and port 1000 as filters. See Troubleshooting Tip: First steps to troubleshoot connectivity.
- Upon running the flow trace debug, the following error will be encountered:
id=65308 trace_id=1 func=iprope_check_one_policy line=2269 msg="policy-4294967295 is matched, act-drop"
id=65308 trace_id=1 func=iprope_check line=2316 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=1 func=iprope_policy_group_check line=4721 msg="after check: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=1 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop
- The above debug output shows that traffic is dropped on the FortiGate.
- Since the URL [POST] is using http, it is necessary to enable http in firewall policy authentication protocols/methods.
- To solve the above issue, enable http under the authentication settings as follows:
In the GUI:
Navigate to User & Authentication -> Authentication settings -> Enable HTTP.
In the CLI:
- auth-type: Supported firewall policy authentication protocols/methods.
config user setting
set auth-type https http
end
