Security

Reply
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

ClearPass MAC Caching using ActiveDirectory as the Authentication Source

I need some help setting up MAC Caching in Clearpass for our Captive Portal authenticated SSID that is used to provide BYOD access for our Students.


I am using our Active Directory as the Authentication Source rather that the TIPS Guest user database.

 

I have managed to get everything to work but the authentication for the cached MAC address.
It looks to me like an Authorization problem rather that an Authentication problem as the MAC address is found and authenticated but there is no value found for the endpoint username.

 

It looks like the WEB_Login MAC-GUEST-Check is either not being properly updated or referenced. The Request Detail shows an alert #206. “Failed to get value for attributes=[UserName].

 

When I examine the MAC-GUEST-CHECK Authorization source there is a filter to set the UserName. The query for the filter is

 

SELECT user_id as guest_device_user FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard') AND (enabled = 't') AND ((expire_time is null) OR (expire_time > CURRENT_TIMESTAMP)))

 

I Think I need to edit this filter query so that it looks in the Active Directory as opposed to tips_guest_users but I am not sure how to structure the filter.

Guru Elite
Posts: 8,451
Registered: ‎09-08-2010

Re: ClearPass MAC Caching using ActiveDirectory as the Authentication Source

[ Edited ]

Are you writing the AD username to the endpoint database after successful AD authentication in your web login service?

 

Your best bet is to use the built in service templates to create the services and then just modify the authentication sources.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Re: ClearPass MAC Caching using ActiveDirectory as the Authentication Source

Hi Tim,

 

I did use the built in service templates to create the services. I the added my AD authentication sources but for the time being left the default local source in place as well for testing. Using an Guest account from the local Guest database everything works perfectly. The initial Web login for the AD accounts work but the authentications against the cached MAC address faills.

 

It looks like the AD username is being written to the endpoint database after successful AD authentication. I see the correct username both as an attribute and in the policy cache when I look at the endpoint.

 

My feeling is that the filter query in my original post needs to be edited somehow.

 

Cheers,

MVP
Posts: 226
Registered: ‎03-03-2011

Re: ClearPass MAC Caching using ActiveDirectory as the Authentication Source

I created the following filter on my AD authentication source:

 

ad_filter.JPG

 

This looks up the Username stored in the Endpoint database against the sAMAccountName field in AD and records the memberof attribute (the groups it belongs to) in to a new attribute called endpoint-memberof. You can then use this to write group matching rules on the MAC authentication service.

However, as Tim said, you need to make sure the Username is added to the Endpoint database.

David
ACDX #98 | ACMP | ACCP
Frequent Contributor II
Posts: 149
Registered: ‎04-20-2009

Re: ClearPass MAC Caching using ActiveDirectory as the Authentication Source

Thanks,

 

This has pointed me in the right direction.

I did the following and so far it seems to be working.

 

SELECT Username as guest_device_user FROM auth WHERE ((Status = 'USER') AND (Username = '%{Endpoint:Username}'))

 

 

Contributor II
Posts: 58
Registered: ‎04-29-2014

Re: ClearPass MAC Caching using ActiveDirectory as the Authentication Source

[ Edited ]

Sorry to bump, but I am trying to do the exact same thing but don't understand how to do ... What is your "auth" table in your filter ?

 

EDIT : Used dg27's solution and it worked. Thanks.

Search Airheads
Showing results for 
Search instead for 
Did you mean: