01-25-2012 02:57 PM
We are creating a BYOD network and below is what we need our Amigopod to do.
Have any of you tried this?
1) First time user attempts to connect to byod_ssid they are presented with captive portal page that requests AD credentials. In the back ground users MAC address needs to be captured.
2) All subsequent connections to byod_ssid are MAC authenticated.
this process works really well with users connected to the Aruba controller by following this guide. amigopodTechNoteAutoMACAuthAccount.pdf
However I have some Cisco WLC connected users who need to have this same experiance. I am not finding any documentation on this process from the Cisco side. What do you think? Is it possible?
01-25-2012 09:37 PM
The basis of this feature is the ability to setup your SSID to perform RADIUS MAC Authentication with fall back to Captive Portal (or Web Auth in Cisco speak). I believe this is a relatively new feature for Cisco in one of the 7.x software releases so I would suggest checking the release notes for your deployed software version on your WLC.
Beyond that the theory in Amigopod will still be the same that the client's MAC address should be able in the RADIUS Access-Request packet sent from the Cisco WLC to Amigopod. This is used as part of the MAC Caching solution on Amigopod.
Let us know how you go on this setup, I am sure other would be interested in your results here on the Airheads Forum.
01-27-2012 11:10 AM
cam is exactly right. I had to upgrade the WLC to 7.0.xx to gain functionality that allows clients to fall back to Web Authentication after MAC authentication fails.
The only caveat that I would add is this. The WLC will ONLY pass the MAC with all letters being lowercase. By default the Aruba wants to send the MAC with uppercase letters. And Amigopod only accepts MACs with capital letters...
So, I had to change the Aruba controller to send in lowercase, then I modified the guest account creation form in Amigopod to accept lowercase letters in the MAC. To change that form in the Amigopod i basically had to turn off the "NwaNormalizeMacAddress" code that it ran the MAC through...
It was a messy config full of trial and error, but now that its done it works very well. Maybe a step by step guide is in order? ;)
03-08-2012 06:01 PM
Although disabling NwaNormalizeMacAddress is an option, you don't need to do this. A better option is to modify how the function normalizes the MAC address. You have control of the MAC address normalization in the
MAC Authentication Plugin. To get to the configuration, go to Administrator -> Plugin Manager -> Manage Plugins and find the MAC Authentication Plugin. Click the configure link and there will be options for MAC Separator and Case. Set the case option to lower so all new MACs that are created are lowercase.