Security

Reply
Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Captive Portal + Mac address authentication

Hey All,

 

I am running into some limitations with my .1x implementation and looking for a different build out.  My idea is to combine captive portal and mac address authentication.  Is there a way to have the captive portal come up for users (mac addresses) that the controller hasn't seen before?  In other words when a new mac address comes on the network, gets portaled, the user enters his AD credentials and get placed into a role and goes on his way.  Meanwhile the mac address gets stored locally on the controller and "whilelists" that mac so that the next day the user does not get captive portal'ed?

 

Rafael

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: Captive Portal + Mac address authentication

This type of functionality would require an external AAA server. Do you have ClearPass? This is very easy to do in CPPM.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: Captive Portal + Mac address authentication

Hi Tim,

 

Thanks for the ultra quick reply!  I do not yet have clear pass.  How can it be done with an external aaa server without clear pass?  I am not oppossed to acquiring clear pass but if it can be done another way (NPS, freeradius) I would be game.

 

Thanks,

 

Rafael

Guru Elite
Posts: 8,447
Registered: ‎09-08-2010

Re: Captive Portal + Mac address authentication

[ Edited ]

You would need some type of SQL database to keep track of MAC addresses that your RADIUS server can query. You would then need a captive portal that can write back to the SQL databse. You could return a role of REGISTRATION-ROLE for devices that are not in the database, but MAC-AUTH-ROLE if they were in there.

 

ClearPass offers the most flexibility as all of this is in one package and can do much more like session tracking, bandwidth caps and device profiling.

 

tim


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Guru Elite
Posts: 20,968
Registered: ‎03-29-2007

Re: Captive Portal + Mac address authentication


r.ertel wrote:

Hey All,

 

I am running into some limitations with my .1x implementation and looking for a different build out.  My idea is to combine captive portal and mac address authentication.  Is there a way to have the captive portal come up for users (mac addresses) that the controller hasn't seen before?  In other words when a new mac address comes on the network, gets portaled, the user enters his AD credentials and get placed into a role and goes on his way.  Meanwhile the mac address gets stored locally on the controller and "whilelists" that mac so that the next day the user does not get captive portal'ed?

 

Rafael


r.ertel,

 

What are your limitations?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: Captive Portal + Mac address authentication

"You would then need a captive portal that can write back to the SQL databse"

 

*** Do you mean a non-Aruba based captive portal as the Aruba captive portal has no way to write back to the SQL database?

 

Thanks,

 

Rafael

Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: Captive Portal + Mac address authentication

cjoseph,

 

My limitations are that if a users AD creds are no good they'd be stuck in the logon role with no intructional options.  That's to say I could poke a hole in the logon role policies for access to the AD password reset tool we offer via https but a.) i see that as a security weakness and b.) if it were there the user still wouldn't know they can access it.

 

Thanks,

 

Rafael

Guru Elite
Posts: 20,968
Registered: ‎03-29-2007

Re: Captive Portal + Mac address authentication

[ Edited ]

r.ertel,

 

At our company, we have many users that connect via RAPs and 802.1x and we have the same issue with password resets.  In addition to having a portal, what they have done is send a user an email 10 days before his/her password expires so that it can be changed.  Do you have that capability?  It would just be a big step back if you forego encryption to deal with password resets...

 

You still have the option to put a link on your Captive Portal to do a password reset for AD users, which would be reachable by any device...

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: Captive Portal + Mac address authentication

cjoseph,

 

We do actually already do email alerts (doesn't make it idiot proof though :(   ).  However there are two other problems: a.) peeps forgetting their passwords and b.) when new machines are deployed (mainly a Windows issue) the user has never logged in with their AD creds, and since they are in a logon role their machine cannot talk to AD to to log them in that first time.   I can poke a hole in the logon role fw policy but again that is a security issue, yea?

 

Rafael

Frequent Contributor II
Posts: 124
Registered: ‎09-10-2012

Re: Captive Portal + Mac address authentication

cjoseph,

 

"You still have the option to put a link on your Captive Portal to do a password reset for AD users, which would be reachable by any device..."

 

but with our present .1x model we do not use Captive Portal...

 

Rafael

Search Airheads
Showing results for 
Search instead for 
Did you mean: