We might have a requirement where we want to authenticate AD users with captive portal hosted on ClearPass with Xirrus controllers.
The default authentication method as of 6.6.1 with Clearpass on a controller initiated login across Xirrus is only CHAP which does not work with AD accounts.
A feature is in place for that on ClearPass to make the user POST credentials to the Xirrus APs differently so that Xirrus can send us PAP and MS-CHAP authentication requests.
That could be included in the future releases of ClearPass.
However we have another way to get this to work called the server initiated login on Clearpass which helps us authenticate AD users also along with other types of users on ClearPass even with Xirrus APs.
In the server initiated login mechanism the client is made to post the credentials back to ClearPass once they attempt a login. ClearPass validates the credentials received and sends a COA to the concerned NAS-IP-Address to put the user to a level of access that takes him out of captive portal.
The configuration on the ClearPass for this to work is as follows.
You need to create a MAC auth service that has [Allow All MAC AUTH] as the authentication method. On Xirrus there is a setting called Radius/MAC which needs to be enabled for it to send MAC auth requests for the corresponding SSID.
An Allow All MAC AUTH allows all the clients to be authenticated irrespective of whether they are Known or Unknown in ClearPass.
Any device that comes in for the first time on ClearPass is Unknown and we need to configure a rule in our enforcement that takes all Unknown clients to the ClearPass page for the first time.
For this Xirrus has a concept called User groups. We need to configure a User group on Xirrus that has the captive portal url of ClearPass mapped and also DHCP, DNS and traffic to Clearpass allowed.
ClearPass can return a filter-id attribute which can be configured to tie to the User group on Xirrus.
The configuration on ClearPass is as follows
The enforcement rule can look like below
The enforcement profile needs to return a Radius Filter-Id as shown below
The web page configuration on Clearpass is as follows
Irrespective of the login page be it a self-registration or a web login we need to modify the NAS Vendor Settings as shown in the screenshot below
We need to specify the vendor as Aruba Networks to be able to choose the login method as Server-initiated.
Once this is done ClearPass would be sending a request to itself once the user attempts a login. To handle that request we need to create a service of type WEBAUTH as shown in the screenshot below.
You can map the appropriate authentication sources desired like AD, SQL, Guest User Repository etc. and authenticate users.
The important point is that for authenticated users we need to return a COA type enforcement which again returns a Filter-Id that ties to a Xirrus group which allows the user to get the appropriate level of access after they are authenticated.
The enforcement profile needs to be created as shown below with the template being COA and the Radius COA template being Aruba-Change-User-Role and Filter-Id value that maps to the User group on Xirrus.
Please note that the post authentication updates to the endpoint like marking the endpoint as Known and marking it with attributes like username and others are very similar to any regular mac caching workflows.
Also when you add the Xirrus AP as a Network Device in ClearPass make sure you choose Aruba as the Vendor-Type as it is crucial for performing COA. Based on our testing Xirrus devices work with Aruba as the vendor type.
For verifying this configuration you need to look for the following
- An initial MAC auth request that is accepted returning the user group that takes the user to the Captive portal page
- A Web Auth request once the user attempts the login that hits the Web Auth service created.
- A COA tab in the MAC auth request received in Step 1 which tells you the status of the COA sent to the Xirrus device.