Security

Hello

 

I've previously set up ClearPass Guest with Cisco WLC running IOS 7+ and that has been pretty straight forward.

Now trying the same with a Cisco WLC 5760 running IOS XE 3.3.1, but can't get it to work.

 

I'm redirected to the WLC (the local Radius auth pops up in Access Tracker), but then it stops with a "empty response" message from the WLC. If I reload this page I get a "Authentication Proxy Login Page"  (https://<name of WLC>/login.html?redirect=redirect)

 

The login method used is:

"Controller-initiated - Guest browser performs HTTP submit"

 

Any suggestions? Or can link me to any updated guides for doing Cisco WLC and ClearPass Guest?

I think that you should be seting the 5760 up to do cwa like you would on the 3850 etc;

 

An example of one done by an Airhead;

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/Clearpass-guest-access-portal-MAB-web-authentication/td-p/110919

 

So not like th "old" way of using external web auth.

 

an exapmle of 5760 config Im working on in the lab but have had time to complete;

 

aaa authorization network cwa_macfilter group Radius-Server-grp 

 

wlan test_cwa 1 test_cwa

aaa-override
accounting-list cppm
exclusionlist timeout 5
ip access-group GUEST
ip dhcp required
ip dhcp server 192.168.245.245
mac-filtering cwa_macfilter
nac
peer-blocking drop
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security dot1x authentication-list cppm
no security ft over-the-ds
session-timeout 1800

 

ip access-list extended ACL-REDIRECT
deny udp any eq bootps any
deny udp any any eq bootpc
deny udp any eq bootpc any
deny udp any any eq domain
deny tcp any any eq domain
deny ip any host 192.168.246.220
deny ip any host 192.168.245.245
permit tcp any any eq www
permit tcp any any eq 443

 

ip access-list extended GUEST
permit udp any host 192.168.245.245 eq domain
permit tcp any host 192.168.246.220 eq 443
deny ip any 192.168.0.0 0.0.255.255
permit ip any any

 

Hth

 

Thanks for the reply!
Using CWA would mean using CoA and the Cisco tech here says that 5760 on this sw doesnt support rfc3576 - just rfc5176. I'll try and see how it goes, but Im not feeling lucky..


Mvh
John Solberg

Hello!

 

Still working on this issue. I've setup things according to the guides for CWA (Centralised Web Access), but I'm not getting passed the first MAC-auth (MAB).

 

The steps involved:

 

  First: MAC-AUTH with resulting in Cisco:AVPair redirect and remember cached role/results

  Second: Web Auth

  Third: MAC-Auth using Cached result from previous step

 

Here we never got passed the first MAC-Auth due to CP doing Reject instead of Accept.

Here is some of the errors from the log:

2014-01-15 13:45:09,524	[Th 21 Req 144 SessId R00000090-01-52d682d5] INFO RadiusServer.Radius - rlm_sql: searching for user 002710793968 in Local:localhost
2014-01-15 13:45:09,524	[RequestHandler-1-0x7ffcc9568700 r=psauto-1389710650-295 h=127 r=R00000090-01-52d682d5] INFO Core.ServiceReqHandler - Service classification result = Guest - Guest MAC Authentication
2014-01-15 13:45:09,525	[Th 21 Req 144 SessId R00000090-01-52d682d5] INFO RadiusServer.Radius - rlm_sql: found user 002710793968 in Local:localhost
2014-01-15 13:45:09,525	[Th 21 Req 144 SessId R00000090-01-52d682d5] INFO RadiusServer.Radius - rlm_macauth: Password in request doesn't match username. Not attempting MAC authentication

 

So as far as I can tell ClearPass isn't accepting that Cisco sends User_Password as an encrypted version of the username (mac address).

 

I've read in some Cisco documentation that atleast on switches it's possible to activate mab eap to force the User_Password to be sendt in cleartext. That could be a solution, but I haven't figured out how to configure that on a WLC v3.3.x

 

Any tips of how to proceed?

Hello!

 

We got this working eventually, so I thought I'd just close to thread with some final input.

 

Atleast in 6.2.x using login-method "Controller initiated" doesn't work towards IOS XE (5760, 3850).

Need to use login-method "Server initiated" which means CoA. This method is used for wired switches and referenced as MAB or MAC-filtering.

 

There is no guide available anywhere that has this described in detail for IOS XE. On the ClearPass side the best guide I've come across is actually created by Alcatel-Lucent:

 

http://www.youtube.com/watch?v=gVUUE59ptPI

 

Cisco as created it's share of guides with 5760 and ISE, but they won't work directly off the bat for ClearPass:

 

https://supportforums.cisco.com/document/147096/converged-access-%E2%80%93-configure-ssid-central-web-authentication-cwa-using-ise-catalyst

 

 

That said - I still don't know what setting on Cisco that got things working since I wasn't the one troubleshooting that end. We had an Aruba engineer remote control the Cisco WLC and tried things back and forth until it worked. It was just too messy to get a final idea of what solved it ;(

 

Important notes on the cisco config

 * If you're not getting passed the initial mac-auth to trigger the redirect try this line highlighted in bold:

  

aaa group server radius clearpass_guest
server name clearpass.domain.com
subscriber mac-filtering security-mode mac
!

 

* Redirect is triggered, but client is unable to open the CP page.

Go through the redirect-acl in detail. This is what worked for us and is a variation of what you find on the cisco forums:

 

ip access-list extended allowclearpass
deny ip any host <clearpass-ip>
permit tcp any any
deny udp any any eq domain
permit udp any any eq bootpc
permit udp any eq bootpc any
permit udp any eq domain any log
permit udp any any log
!

 

Good luck!