Security

I'm trying to setup a Service in CPPM to disconnect a device (macauth) after WebAuth via the [Aruba Terminate Session].  The service is accepted once the device is registered, but the system stays in the preauth role on the controller.  I can successfully Disconnect devices on the controller via CPG, which I presume means the rfc-3576-server CoA is working correctly, and the device is successfully booted from the role.

Am I missing something simple, or am I mistaken that CPG Disconnect is not using the same mechanism as the [Aruba Terminate Session] profile?

thanks

mike

Does it work manually from access tracker for the same client?

Are you returning a REJECT or ACCEPT on the initial MAC auth?

(Thanks for responding Tim, I'm trying to get your DEVICE-REG_DM-COA working from the educause Wireless-LAN group email)

It does work manually from Access Tracker

The default profile on the macauth service is [Drop Access Profile] which

has the Drop action.  The Access Tracker details has:

Post-Auth-Check:Action   Disconnect

and

MAC-AUTH: MAC Authentication attempted by unknown client, rejected.

thanks

mike

Your MAC auth service should be using Allow All MAC Auth and returning a captive portal role for unknown devices.

Can you post screenshots of the request hitting the DM-COA WebAuth service?

OK, that makes this more than a minor change..    Here's the screenshot..

thanks

mike

Why do you have 2 terminate sessions there? What is "UD [Terminate Session]? 

After the default terminate didn't work, I copied it and only included the local controllers in the list and added that also... 

I'm not following that. Can you post a screenshot? You should only be using the default [Aruba Terminate Session].

It was just an initial troubleshooting test, since we have both local and eduroam federation controllers listed, I wanted to make sure the eduroam list wasn't causing the terminate to end abnormally so I copied the profile and listed only the local controllers.  I've removed it now..

"Your MAC auth service should be using Allow All MAC Auth and returning a captive portal role for unknown devices."

Are there examples of this anywhere?  I've gone through the wizard and made several attempts modifying that service for mine but not having any luck.

thanks

mike

If you look at the original MAC auth request after the device was registered, do you see a CoA tab?

That's the problem, there never is another mac auth request after the device was registered, it just sits in the initial-role stupid but content. The WEBAUTH source is setup to do the Aruba Terminate Session, but nothing ever happens.

"You need to use Allow All MAC Auth and add a fail through rule that returns your captive portal role."

The macauth wizard didn't make anything resembling a captive portal role, so I'm flying blind trying to understand your references here and other posts on the subject.  I was able to modify the standard enforcement policy from the default days-of-the-week to something that properly sets the authenticated devices into the correct role, but the fail

through rule to a captive portal role doesn't seem to happen.

Sorry, I didn't see the forest for the trees on this one (I'll blame move-in week stress)  Once I changed the Service Authentication Method from the default MAC AUTH to Allow All MAC AUTH, everything started working as expected...

thanks

mike

Mike,

You may want to tweak your MAC auth service. The guest service templates aren't really designed for headless device authentication so you have a lot of profiles in there that aren't designed for this.

Here is an example of a multi-use guest + headless MAC authentication service. Ignore rules 2-4, they're just for testing.