AAA, NAC, Guest Access & BYOD

Reply
Occasional Contributor I
Labus
Posts: 8
Registered: ‎05-29-2013
Accepted Solution

MAC authentication and Captive portal fallback

[ Edited ]

Hello all.

 

Is it possible to make bypass authentication for known users by mac address and fallback auth by captive portal for new users?

 

I.e.: I have guest ssid with aaa profile AAA-GUEST. AAA-GUEST contain captive portal authentication and mac authentication. All of these authentications are made in ClearPass by doc: : ARUBA WIRELESS AND CLEARPASS 6 INTEGRATION GUIDE Technical Note v1.3 

 

So, I trying to login from my laptop to the guest ssid and first message in log is REJECTED by mac authentication. Ok, I trying to open browser and no redirects to the captive portal there. Ok, manually open captive portal page, trying to login - REJECT in logs: Failed to classify request to service.

 

I can not understand why it happens. I have tried to reinstall all configuration 3 times - still no luck. There is no fallback to the login page if mac auth failed. Somebody help. Thanks in advance.

MVP
jsolb
Posts: 343
Registered: ‎05-11-2011

Re: MAC authentication and Captive portal fallback

We could use some more info in regards to your AAA profile, MAC-auth profile 

 

You should get your redirect and login to work without MAC auth before you implement it.

 

Which CPPM version are you using? In 6.1 several of the pre-defined services are gone, and among them this the Mac Caching one. But - in 6.1 just use the service-template for MAC cache authentication and you should be fine.

 

If 6.0.x then you could try some troubleshooting.

Verify the role your client lands in after the MAC reject appears. This should be the guest-logon role (or equivalent) - this is the AAA default role.

 

 

Oh - and scan through your services and make sure you have input the correct SSID in your auth profile. Thats often the reason behind "Failed to classify.."

Regards
John

-ACMX #316 :: ACCP-
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Aruba
tarnold
Posts: 1,178
Registered: ‎06-12-2012

Re: MAC authentication and Captive portal fallback

If you are using 6.1 use the service templates and chose Guest MAC Authentication to set up your services. it will auto configure all the settings and create two service. One for the initial MAC auth and one for the captive portal.

 

guestmacauth.png

 

 

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Labus
Posts: 8
Registered: ‎05-29-2013

Re: MAC authentication and Captive portal fallback

[ Edited ]

Yes, I use CPPM 6.1

 

Ok, I delete all changes again and create new service from template, like tarnold said. So, it creates 2 services: Guest mac authentication and Guest Access With MAC Caching. Trying to connect to the ssid - REJECTED. In logs the same problem occured:

 

1.png

 

 

2.png

 

Still don't understand how it could work redirecting to the captive portal page for registering new user device by login/password. Where can I configure it in polices/roles/or somewhere else in these services?

Aruba
tarnold
Posts: 1,178
Registered: ‎06-12-2012

Re: MAC authentication and Captive portal fallback

Do you have insigt enabled on the CPPM

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Occasional Contributor I
Labus
Posts: 8
Registered: ‎05-29-2013

Re: MAC authentication and Captive portal fallback


tarnold wrote:

Do you have insigt enabled on the CPPM


How can I check it? Where can I enable it?

 

P.S.: Sorry, I'm newbie..

Aruba
tarnold
Posts: 1,178
Registered: ‎06-12-2012

Re: MAC authentication and Captive portal fallback

on the CPPM side "Administration » Server Manager » Server Configuration"

 

insight.png

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Aruba
tarnold
Posts: 1,178
Registered: ‎06-12-2012

Re: MAC authentication and Captive portal fallback

Remember it can take up to 5 minutes for the data to be updated in insight. For testing i would connect through the captive portal. wait 5 min disconnect the user and then reconnect. 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
jsolb
Posts: 343
Registered: ‎05-11-2011

Re: MAC authentication and Captive portal fallback

Yea, the doc lists that you should wait atleast 2 minutes so be a little patient when testing this :)
Regards
John

-ACMX #316 :: ACCP-
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Occasional Contributor I
Labus
Posts: 8
Registered: ‎05-29-2013

Re: MAC authentication and Captive portal fallback


tarnold wrote:

Remember it can take up to 5 minutes for the data to be updated in insight. For testing i would connect through the captive portal. wait 5 min disconnect the user and then reconnect. 


That's the problem. My laptop not redirect to the captive portal. When MAC auth check reject connection - I can't see any captive portal page.

 

3.png

Search Airheads
Showing results for 
Search instead for 
Do you mean