AAA, NAC, Guest Access & BYOD

Why does the captive portal redirection not happen after a mac authentication failure?

Aruba Employee

Environment : 

Clearpass Version 6.1 and higher
Cisco WLC 7.0 and higher

 

Client connects to guest SSID. Cisco WLC sends a MAC authentication request to clearpass. Clearpass sends a Access-Reject since the MAC address is unknown. The captive portal redirection does not happen on the client device. The captive portal page is accessible if we manually type the login page URL.

 

The fact that the page loads fine when we manually type the URL informs us that the ACLs and the http/ https connection to Clearpass server is fine.

Reject delay is usually used to slow down any DOS / password guessing attacks and Clearpass uses a default value of 1 second. Cisco WLC does not seem to keep track of the RADIUS session for more than a second. Hence when Clearpass sends the MAC auth Reject after a delay of 1 second, the redirection upon MAC Filter failure does not work.

 

We have to reduce the RADIUS REJECT delay from the default value of 1 second to 0 for each server in the cluster. This can be configured from Administration > Server Configuration > Select the server to make the change > Select Service parameters tab > Select RADIUS server from the drop down > Change REJECT Packet Delay value to 0

 

rtaImage (1).jpg

Version history
Revision #:
1 of 1
Last update:
‎04-08-2015 10:08 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: