Security

last person joined: 7 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Automatic MAC account creatation from Cisco WLC

This thread has been viewed 0 times

  • 1.  Automatic MAC account creatation from Cisco WLC

    Posted Jan 25, 2012 05:58 PM

    We are creating a BYOD network and below is what we need our Amigopod to do.

    Have any of you tried this? 

     

    1) First time user attempts to connect to byod_ssid they are presented with captive portal page that requests AD credentials.  In the back ground users MAC address needs to be captured.

    2) All subsequent connections to byod_ssid are MAC authenticated.

     

    this process works really well with users connected to the Aruba controller by following this guide.  amigopodTechNoteAutoMACAuthAccount.pdf

     

    However I have some Cisco WLC connected users who need to have this same experiance.  I am not finding any documentation on this process from the Cisco side.  What do you think?  Is it possible? 

    Thanks!



  • 2.  RE: Automatic MAC account creatation from Cisco WLC

    Posted Jan 26, 2012 12:37 AM

    The basis of this feature is the ability to setup your SSID to perform RADIUS MAC Authentication with fall back to Captive Portal (or Web Auth in Cisco speak). I believe this is a relatively new feature for Cisco in one of the 7.x software releases so I would suggest checking the release notes for your deployed software version on your WLC.

     

    Beyond that the theory in Amigopod will still be the same that the client's MAC address should be able in the RADIUS Access-Request packet sent from the Cisco WLC to Amigopod. This is used as part of the MAC Caching solution on Amigopod.

     

    Let us know how you go on this setup, I am sure other would be interested in your results here on the Airheads Forum.



  • 3.  RE: Automatic MAC account creatation from Cisco WLC

    Posted Jan 27, 2012 02:10 PM

    cam is exactly right.   I had to upgrade the WLC to 7.0.xx  to gain functionality that allows clients to fall back to Web Authentication after MAC authentication fails. 

     

    The only caveat that I would add is this.  The WLC will ONLY pass the MAC with all letters being lowercase.  By default the Aruba wants to send the MAC with uppercase letters. And Amigopod only accepts MACs with capital letters...

     

     So,  I had to change the Aruba controller to send in lowercase, then I modified the guest account creation form in Amigopod to accept lowercase letters in the MAC.  To change that form in the Amigopod i basically had to turn off the "NwaNormalizeMacAddress"  code that it ran the MAC through...    

    It was a messy config full of trial and error, but now that its done it works very well.  Maybe a step by step guide is in order?  ;) 

     

     



  • 4.  RE: Automatic MAC account creatation from Cisco WLC

    Posted Mar 08, 2012 02:07 AM

    Hi Drivert,

     

    would you please share the mac auth expression to work with Cisco WLC.

     

    im not quite clear on how to turn off the "NwaNormalizeMacAddress"

     

    Thanks

    Hendro



  • 5.  RE: Automatic MAC account creatation from Cisco WLC

    Posted Mar 08, 2012 09:01 PM

    Although disabling NwaNormalizeMacAddress is an option, you don't need to do this.  A better option is to modify how the function normalizes the MAC address.  You have control of the MAC address normalization in the

    MAC Authentication Plugin.  To get to the configuration, go to Administrator -> Plugin Manager -> Manage Plugins and find the MAC Authentication Plugin.  Click the configure link and there will be options for MAC Separator and Case.  Set the case option to lower so all new MACs that are created are lowercase.