Security

Reply
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Captive Portal After MAC Auth

So I have a school that wants to enforce personal device registration on the same SSID they will MAC auth to after the device is known.

 

I configured a service in ClearPass for BYOD MAC Authentication that assigns them a BYOD role if device is known, or if not the default enforcement is "Device Registration". 

 

On the controller Device-Registration role has captive portal assigned that directs the user to clearpass guest operator login to add their device, and once they reconnect, it should mac auth them again and put them in BYOD role. 

 

Is this possible? I'm having trouble getting the captive portal redirect to work. It's also not working on my guest SSID, so I think it's something else, but just wanted to verify this would work.

 

Thanks!

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: Captive Portal After MAC Auth

Yes, this is a common solution. I would recommend against using "Known" as that attribute can be updated by multiple sources. Are you looking at using the MACTrac feature? Also, for the captive portal functionality, do you have an IP address in each VLAN on the controller?

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: Captive Portal After MAC Auth

Yes, we are attempting to use the Device Registration operator role for students/staff to login with their AD credentials and register their own devices before the devices have access to the internet. 

 

The VLAN that the user is on has an IP address on the controller. The MAC auth succeeds because I am using the default profile if the device does not exist, the user connects to wireless, but when they launch browser the captive portal page just keeps spinning and never loads.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: Captive Portal After MAC Auth

[ Edited ]

Correction, that VLAN does NOT have an IP address on the controller, but the Guest VLAN does. Both are not loading the captive portal. Guest is just captive portal with open SSID.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: Captive Portal After MAC Auth

You need an IP on every VLAN that you want a captive portal to run.

 

You'll want to create an enforcement rule that checks for "Authentication:Source EQUALS [Guest Device Repository]" and "GuestUser:Sponsor EXISTS".

 

 


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: Captive Portal After MAC Auth

[ Edited ]

I made the changes for the role-mapping, but I'm still not sure why my captive portal won't load. We have an Ip address on the VLAN on the controller. We can manually browse to clearpass and clearpass guest, but it's not redirecting us automatically. We do not have a DNS entry for clearpass, but were pointing to https://10.1.2.184/guest/guest_registration.php and we also don't have a valid certificate installed yet, but that should still show us the cert error page. Any ideas?

 

I also verified that no proxy configuration was present in the browser.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Guru Elite
Posts: 7,852
Registered: ‎09-08-2010

Re: Captive Portal After MAC Auth

Can you run "show rights <captive-portal-role?>"


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: Captive Portal After MAC Auth

[2014-11-07]-Image-001.png

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Super Contributor I
Posts: 318
Registered: ‎05-09-2013

Re: Captive Portal After MAC Auth

[ Edited ]

They have a firewall between the VLAN3/4 and the controller, but http and https access is permitted between VLAN1 (controller and clearpass are on) and VLAN3/4.

Michael Haring | Network Engineer - ACMP, ACCP
Comm Solutions Company | www.commsolutions.com
Aruba
Posts: 1,635
Registered: ‎04-13-2009

Re: Captive Portal After MAC Auth

Can you include the full output of show rights IC-Guest-Logon?    It does not appear that you have a Captive Portal profile set for that role.   Also, do you allow http/https to your ClearPass box (10.1.2.184) before your captive-portal redirects?

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Search Airheads
Showing results for 
Search instead for 
Did you mean: