Security

Reply

ClearPass Guest MAC Caching - Deny Disabled Guests

I have Guest MAC caching and authentication working.  I want to keep a guest from being able to MAC authenticate if their guest account has been disabled.  Since the Guest MAC Auth service only checks the Insight and Endpointpoint Repository, it can't determine the status of the Guest account.  Is it possible to somehow correlate the device with the guest so the guest account can be verified during Guest MAC auth?  If not, the only solution I've found is to change the device to "uknnown", which will cause the MAC Auth authentication method to fail.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba Employee

Re: ClearPass Guest MAC Caching - Deny Disabled Guests

Hi,

 

This was fixed in 6.1 by way of an SQL Query source. It is configured automatically when you use the Service Template called Guest MAC Authentication.

 

When you use the Guest MAC Authentication, it will create two sources. Here is a photo of the one you need to add as an Authorization Source:

 

Screen Shot 2013-10-09 at 3.07.44 PM.png

 

Note the attributes tab for this source, we will use that info later in our Enforcement Policy:

 

Screen Shot 2013-10-09 at 3.21.14 PM.png

 

I believe in 6.1.2 we added the "expire_time is null" to this query, which basically means that we are going to allow MAC Caching for guest accounts that never expire.

 

Then, after adding this source in as an Authorization Source in your MAC Caching service, you need to take advantage of the checks. Here is how you do that:

 

Screen Shot 2013-10-09 at 3.27.05 PM.png

 

My example here is doing MAC Caching for 7 days. You can see the first rule is checking that UserName EXISTS from the query above. That UserName is the Alias Name which is the alias for the guest_device_user which is being returned from the SQL query, if it is able to find it using the query.

 

This is probably WAY more information than you wanted. Hope you find it helpful.

 

Zach

 

 

Thanks,

Zach Jennings

Re: ClearPass Guest MAC Caching - Deny Disabled Guests

Perfect!  Now, disabling the guest account results in the policy manager failing to get the username attribute and fails MAC auth.  Exactly what I needed.  Thank you!

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: