AAA, NAC, Guest Access & BYOD

Reply
Frequent Contributor I
kkutz@kutztraining.com
Posts: 66
Registered: ‎12-14-2012

Guest Access Captive Portal with MAC Cache and Account Disable.

ClearPass ver 6.2.0.25546 on CP-VA-500

 

OK we have MAC cache turned on in the web logins page. and it all works for access.  Guest signs in the first time and gets a MAC account for the endpoint.

 

My first Question is.  Does the Expiration Date on the MAC account match the Experation date on the Guest Account?

 

My second question.  When I disable the guest user account I am still seeing the user get access through the endpoints MAC account. Is there a way to stop this?

MVP
kdisc98
Posts: 1,167
Registered: ‎05-28-2008

Re: Guest Access Captive Portal with MAC Cache and Account Disable.

Did u made your mac db profile on the controller? or on the clearpasss db?

****************************************************************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Frequent Contributor I
kkutz@kutztraining.com
Posts: 66
Registered: ‎12-14-2012

Re: Guest Access Captive Portal with MAC Cache and Account Disable.

Not 100% sure what your asking - but

On the controller I set up pretty standard MAC auth - in the AAA profile I used default MAC profile and listed the ClearPass server group - this is the same location captive portal goes to

On ClearPass I made two services one to process Mac auth and one to process the guest auth .

I can see the user Mac process the services in access tracker and they show up as known in the endpoints list so they are getting in the endpoints database
Frequent Contributor I
kkutz@kutztraining.com
Posts: 66
Registered: ‎12-14-2012

Re: Guest Access Captive Portal with MAC Cache and Account Disable.

I still have not found a solution to this. 

 

In testing when I disable the guest account on CPPM - the MAC in the endpoints database still allows the guest to authenticate until the original  expiration of the guest account

MVP
boneyard
Posts: 814
Registered: ‎11-30-2011

Re: Guest Access Captive Portal with MAC Cache and Account Disable.

you could lower the experation time on the MAC entries? or delete it when you disable the account. but beyond that i dont see a nice way to solve this.

Frequent Contributor I
kkutz@kutztraining.com
Posts: 66
Registered: ‎12-14-2012

Re: Guest Access Captive Portal with MAC Cache and Account Disable.

Actually I have found that this has been taken care of in version 6.2 of CPPM/Guest.  Actually in version 6.1.2 (look in release notes) bug fix  corrected the behaviour where CPPM now checks for the original guest account status when authenticating a MAC cached user. Thus if the client disconnects and reconnectes the MAC cache entry is expired if the guest account is expired.  Also in Version 6.2 a bug fix  corrected the behaviour where now when you disable the guest account it sends a CoA record to the RFC-3576 server and will deauthenticate the client.

 

Also optionally you can chenge the MAC cache timeout from the default of 1 day to hours or even minutes-  this is a rule setting in enforcement. where the rule :  Authorization:[Insight Repository]:Days-Since-Auth LESS_THAN can be changed to other time settings.  

 

 

Search Airheads
Showing results for 
Search instead for 
Do you mean