Description

This article describes how to troubleshoot an iprope error encountered while using Aruba ClearPass for authentication.

Scope

FortiGate, Aruba/HP ClearPass server side.

Solution

• All of the configuration checks are based on Technical Tip: How to configure Clearpass as an external captive portal.
• The user is redirected to the login page and the page times out, giving an error after entering the user credentials:

• Use the following POST URL IP and respective port to run a flow trace debug:

For example: use IP 192.168.10.1 and port 1000 as filters. See Troubleshooting Tip: First steps to troubleshoot connectivity.

• Upon running the flow trace debug, the following error will be encountered:

id=65308 trace_id=1 func=iprope_check_one_policy line=2269 msg="policy-4294967295 is matched, act-drop"
id=65308 trace_id=1 func=iprope_check line=2316 msg="gnum-10000f check result: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=1 func=iprope_policy_group_check line=4721 msg="after check: ret-matched, act-drop, flag-00000801, flag2-00000000"
id=65308 trace_id=1 func=fw_local_in_handler line=606 msg="iprope_in_check() check failed on policy 0, drop

• The above debug output shows that traffic is dropped on the FortiGate.
• Since the URL [POST] is using http, it is necessary to enable http in firewall policy authentication protocols/methods.
• To solve the above issue, enable http under the authentication settings as follows:

In the GUI:
Navigate to User & Authentication -> Authentication settings -> Enable HTTP.

In the CLI:

• auth-type: Supported firewall policy authentication protocols/methods.

config user setting

set auth-type https http

end