08-11-2016 01:59 PM
I would like to be able to configure a Web Login page to use my AD Auth Source instead of the Guest repository. Is this possible?
We have an Instant VC with PSK network. We need to get policy from Clearpass based on AD user credentials. 802.1x unfortunatly is not an option. My solution is to configure Captive Portal redirect on the PSK SSID, have the Web Login page (cap portal) auth against AD and then pass back a User Role to the VC.
Maybe I am going about this in the wrong way?
Solved! Go to Solution.
08-11-2016 02:06 PM
I am having a hard time figuring out how to configure the Web Login page. How do I tell it to use the AD Auth source defined in CPPM?
I did configure my 'User Auth with MAC Caching' service with the AD Repository.
I configured the Web Login page 'Pre-Auth Check' to use RADIUS. This does then pass my credentials to CPPM and hits the service. The Service does succesfully Auth me. The Captive Portal Page however returns an error "Login error. Please Retry" and I dont make it past the portal on the device.
What am I missing?
08-11-2016 02:08 PM
Replace the guest user repository with AD
--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.
--Problem Solved? Click "Accepted Solution" in a post.
08-11-2016 02:12 PM
For the pre-auth check, use an application auth and create an app auth service in CPPM. Simple return [Allow Access Profile] for users that are allowed to auth.
After the pre-auth, the web login will submit through the user's browser through the controller and hit your RADIUS enforcement service.
08-11-2016 02:29 PM
I created an App Auth Service but the service is not hit when a pre-auth attempt is made. The pre-auth has virtually nothing listed in the input tab besided a user name... therefor it cant make a match on the App Auth Service...
08-11-2016 02:48 PM
08-11-2016 02:56 PM - edited 08-11-2016 02:58 PM
Getting closer! I get a Success in Access Tracker but I still get the 'Login error. Please Retry' on the device attempting to Auth.
You stated to pass back "Allow Access Profile" in the Service. Since it is an Application service, I was only able to create a "Allow Application Access Profile" Profile. Maybe that is where it is going wrong?
08-11-2016 03:03 PM