Security

Reply
MVP
Posts: 930
Registered: ‎04-13-2009

2 x Guest SSIDs, 1 with MAC caching, 1 without

Hi All,

 

2 x guest services on ClearPass,1 with MAC caching enabled and 1 without

 

Lets say the SSIDs are called:

guest-cache

guest-nocache

 

We'll be assuming that the guest services are created using the default settings here..

 

If a visitor user associate and sucessfully logs into the guest-nocache SSID then disconnects and associates to the guest-cache SSID will they MAC auth sucessfully?


Looks like the "Guest Expire Post Login" and "Guest Do Expire" enforcement policies take care of this but I'm just looking for clarification.

 

Cheers

J

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
MVP
Posts: 4,172
Registered: ‎07-20-2011

Re: 2 x Guest SSIDs, 1 with MAC caching, 1 without

I think it will redirected since is not doing Mac Auth in the no cache service
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,188
Registered: ‎09-08-2010

Re: 2 x Guest SSIDs, 1 with MAC caching, 1 without

Easiest thing to do would be to disable MAC-auth on your no-cache SSID on the controller.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
MVP
Posts: 930
Registered: ‎04-13-2009

Re: 2 x Guest SSIDs, 1 with MAC caching, 1 without

Hmm.

 

Let me explain again.

 

Client "Tom" associates to the no-cache SSID, redirects to the captive portal and sucessfully authenticates. Tom's device MAC address is registered in the Endpoints repository.

 

Tom, being a bit nosey or perhaps by mistake, connects to another SSID which happens to be the MAC caching one. The controller send his device MAC address, ClearPass MAC caching service matches the request and checks the Endpoint repository and find his device MAC address. The enforcement policy send the RADIUS accept back to the controller and Tom has gained access to the network.

 

What mechanism stops this from occurring?

 

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: 2 x Guest SSIDs, 1 with MAC caching, 1 without

I would add a role tag to users connecting and look for that attribute when they connect.

SSID 1 guest logins ins and gets guest role ID of guest-a

SSID 2 role ID of guest-b

and that way when they try to connect to the other SSID they have to have that guest role.
Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
MVP
Posts: 505
Registered: ‎05-11-2011

Re: 2 x Guest SSIDs, 1 with MAC caching, 1 without

If you don't change anything from the wizard created services then yes - it will authenticate. Reason being UPDATE ENDPOINT KNOWN and GUEST MAC CACHING policies.

 

That said - you can have the SSID's on two different systems and it will still accept the mac-caching. Basically the service checks your role, that the mac-address is in the Endpoint database, that it's known, that it has a username attribute, and that this user is still valid.

 

To work around this I guess using the Role could be a way to go. Different guest roles depending on the SSID.

 

Another way might be adding the CONNECTION:SSID as an attribute to the UPDATE ENDPOINT KNOWN policy and test on this during mac caching.


Regards
John Solberg

-ACMX #316 :: ACCP-
Intelecom - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Search Airheads
Showing results for 
Search instead for 
Did you mean: