Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Clearpass Guest Self register with Cisco switch

Has anyone got clearpass Guest self registration to work with a cisco switch?  I have a cisco 3850 switch doing MAC auth, 802.1x Auth and even device registration with COA just fine.   I can not figure out how to get it to do guest account creation with automatic login.

 

I got it setup so the user gets a downloadable ACL that re-directs them to clearpass self registration page.  They can create the account just fine..but I get stuck on the next step.   In aruba land clearpass causes the client to login to the controller with the new credentials.  This does not seem to be a option in cisco land.  The other option seems to be just have clearpass send a coa.  Which doesn't really help me because they just get the same downloadable ACL that lets them create an account.  Could create a link on that page that also allows them to login.  But I am wondering if there is a way to either

 

A> Have the cisco switch automatically log them in

 

or

 

B>  upon account creation have clearpass update the endpoint in some way.  That way the next mac off can check the update and see that it needs to be presented the login menu.

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Guest Self register with Cisco switch

Is your guest self-registration page configured for Cisco in the NAD settings?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: Clearpass Guest Self register with Cisco switch

Make sure you are using a server initiated login and give the page 25 - 30 seconds

The NAD needs to be set to Cisco as a Vendor

You need a web auth service and a Mac auth


Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Re: Clearpass Guest Self register with Cisco switch

ok, I forgot about webauth on the switch.  I still don't see how it will work.

 

To do the captive portal with a downloadable acl you need to send back an access accept.  If you do that webauth will not kick in because mac auth worked.  I have mac auth and 802.1x working.  So mac auth gets an accept with the downloadable acl and 802.1x works in the background and either succeeds or times out.  I don't see how  you are gonna get webauth out of the way long enough to do the captive portal and create the guest account and then get it back in for the auth.  That is what the user initiated re-auth does.  But if all you have is controller initiated COA as an option you would have to start webauth first, wait for it to time out.  Then  do mac auth with re-direct, create the account and then start webauth again with a coa.    Unless cisco can support client initiated and I am juts missing it?

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Guest Self register with Cisco switch

Here's how it works:

 

Client connects > switch sends MAC-auth > ClearPass sends back a captive portal URL and ACL name

 

Client is redirected, authenticates to CP Guest portal > CPG triggers a CoA to the switch > client is disconnected > authentication starts again > client passes MAC-auth


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Re: Clearpass Guest Self register with Cisco switch

Tim,

 

  I got it and thanks.  That is exactly how I got it working for self registration.  Works great.

 

But I am trying to add self "guest account creation" and guest login into the mix.   For those two you need the switch to be able to support "client initiated webauth".  So I guess that is my real question...

 

Does anyone know if the 3850 or any cisco switch wil support "client initiated" webauth?

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Guest Self register with Cisco switch

I'm not really sure what you're asking. All of these things are part of guest self-registration workflow and work with server-initiated.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,307
Registered: ‎07-20-2011

Re: Clearpass Guest Self register with Cisco switch

The switch doesn't need to support it .

The important is that the switch is able to allow the redirect , CoA and Mac auth to happen

When using server initiated the request goes through ClearPass not the switch.





Sent from Outlook for iPhone
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 19
Registered: ‎06-01-2015

Re: Clearpass Guest Self register with Cisco switch

Tim,

 

  I don't see how account creation and login works with server initiated.  Lets take your flow from ealier and modify it for Self account creation and login.

---------------------------------------------------------------------------------------------------------------------------------------------------

Client connects > switch sends MAC-auth > ClearPass sends back a captive portal URL and ACL name

 

Client is redirected, creates guest account via CP Guest portal > CPG triggers a CoA to the switch > client is disconnected > Mac auth happens again and they end up at the same portal

------------------------------------------------------------------------------------------------------------------------------------------------

You see, since we did not register them there is nothing to trigger a different mac auth option.   So lets add add a "login" link on the same portal.

 

Now they can login with the created account, the login gets authenticated in clearpass but there are two issues.  SInce no endpoint  did the webauth, clearpass can not distingush the request.  Since no endpoint did the webauth clearpass can not pass back a dfferent vlan or acl.  You need some endpoint to do the webauth.  How it woks on the wireless side is this.

 

----------------------------------------------------------------------------------------------------------------------------------------------------

Client connects > switch sends MAC-auth > ClearPass sends back a captive portal URL and ACL name

 

Client is redirected, creates account on CP Guest portal > CPG triggers client to webauth with controller > controler does webauth and  is handed a new role from clearpass.

 

 

You can have a redirect url point them at the login page and they can login.  But the request does not come from a

Guru Elite
Posts: 8,759
Registered: ‎09-08-2010

Re: Clearpass Guest Self register with Cisco switch

[ Edited ]

The self-registration workflow has two components: the registratioin itself, and the weblogin. I'm failing to understand how these scenariors differ in your environment.

 

If you're a NEW device without an active account, you get redirected to the captive portal. Here you can either register for a new account or login with an existing account.

 

- If you register for a new account, you go through the registration process, then click login which does a local authentication check then proceeeds to issue a CoA to the switch.

 

- If you click login, you enter your credentials, click login, a local authentication check is performed and then a CoA is issued to the switch.

 

If you need assistance getting this set up, please reach out to your Aruba partner.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: