Security

Reply
Contributor II
Posts: 50
Registered: ‎10-11-2013

Captive portal users being asked to authenticate frequently

Looking for advice on resolving an issue where users are needlessly prompted for authentication.

 

It's a dot1x captive portal. (Clearpass, not Controller)

Mac caching is done on an post-auth enforcement profile. The expiration is set to a period of six months, yet users are prompted to sign in multiple times per day.

 

It would be great if we had a repeatable failure, but so far cannot identify what conditions trigger the issue.

 

Any thoughts or ideas are appreciated

 

 

 

 

 

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Captive portal users being asked to authenticate frequently

So the users are using their credentials for 802.1X authentication and then the same credentials again on the captive portal? 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 50
Registered: ‎10-11-2013

Re: Captive portal users being asked to authenticate frequently

No, let me clarify.

 

The users enter their active directory credentials on a captive portal. Sign in works fine. Then after some period of time, they loose access and are again prompted to sign in. 

 

The goal is to provide session that survives for months at a time.

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Captive portal users being asked to authenticate frequently

Can you please post screenshots of your role map and enforcement policies
for your MAC-Auth and Web Login services?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 50
Registered: ‎10-11-2013

Re: Captive portal users being asked to authenticate frequently

Cappalli,

 

I wish I could be more certain about which profiles and policies are in effect. It looks like the integrator dumped the entire Aruba Solution Exchange into our system. So there are many profiles existing which are not in use.

 

Is there a way I can determine which profiles and policies are at play with a certain SSID?

 

 

 

 

 

 

MVP
Posts: 778
Registered: ‎03-25-2009

Re: Captive portal users being asked to authenticate frequently

Easiest way to start troubleshooting is to get a spare laptop and simulate the issues yourself.

 

After authenticating (with AD credentials) you can log onto Clearpass, open Access Tracker and filter for that spare laptops mac address to see all its authentications.

 

That will basically show you what service is used along with alot of other information. Basically Access Tracker is your best bet at troubleshooting authentication issues with Clearpass.

 

 

If your userrs are fiorced to reauthenticate with their AD credentials then surely something is wrong with your MAC authentication.

Do you see any MAC authentications happening in Access Tracker? If not, your MAC auth configuration on the controller or switch is missing! You need this to do MAC caching.

 

If you see alot of rejects, see what service they match. Is this the correct service? If it is, why is it failing?

 

Depending on what you find using this, we will need additional info again.

Koen (ACMX #351 | ACDX #547 | ACCP)

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Captive portal users being asked to authenticate frequently

There should be a MAC authentication service and a RADIUS web login service for this setup. Feel free to post a screenshot of your service list if you can't find them.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 50
Registered: ‎10-11-2013

Re: Captive portal users being asked to authenticate frequently

Koen thanks for the info on access tracker. That helped me find the relevant service for mac auth.

 

The error message seems to suggest something is wrong with the mac caching. "faied to get value for attributes=[Days-Since-Auth]"

 

 

 

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: Captive portal users being asked to authenticate frequently

You may want to consider rebuilding this to use the MAC-Auth Expiry method instead of Insight.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: