Security

Reply
Contributor I
Posts: 27
Registered: ‎05-20-2013

Clearpass - How to return a CP guest username when using MAC caching

I am using Clearpass 6.2 and Aruba Instant for captive portal wirless guest authentication.

 

The MAC caching feature of Clearpass Authentication works fantasitcally, and ensures our guests enjoy uninterrupted wireless access from any other sites, until their clearpass guest login expires. If anyone is using Clearpass without the MAC caching feature and experiencing problems with sessions timing out, or guests users being troubled by excess captive portal reautnetication, I would strongly recommend trying it.

 

One niggle we have with MAC caching is that authenticated users soon appear in the Instant virtual controller as MAC addresses, rather than their original Clearpass guest user name (e-mail address) - because after the intial captive portal login, subsequent RADIUS authentications are just by MAC address.

 

ap.png

as you can see in the bottom 3 users.

The same is true in Clearpass Insight. Bandwidth usage is logged against these mac addresses, not their username.

 

Now, of course, Clearpass Policy Manager is clever enough to match these cached mac addresses to the original username and assign attributes such as username, sponsor, role, etc. And if I look up a MAC address in CPM access tracker, or the endpoint list, I can quickly see the user's e-mail address and other mapped attributes from CP Guest.

 

I'm not an expert with RADIUS, but I'm aware some of these details can be passed back to the controller as part of the RADIUS output. I'm wondering whether it is possible to return the e-mail address username and have Instant, and CP Insight show this instead of the MAC address.

 

cp.png

I've had a go at making an enforcement policy to return the username to a varierty of RADIUS attributes.

 

output.png

and in access tracker this appears to be returning values correctly. However, it is having no effect in CP Insight or on the Aruba Instant controller.

 

Does anyone know if this is possible?

 

 

 

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: Clearpass - How to return a CP guest username when using MAC caching

Yes this is possible with the latest ClearPass revision.  I have only done this with controller based deployments, but I think it should also work with Instant.   I've done it with the following Enforcement Profile configuration:

 

cp-sponsorname.jpg

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Contributor I
Posts: 27
Registered: ‎05-20-2013

Re: Clearpass - How to return a CP guest username when using MAC caching

Thanks clembo

 

As you can see from my last 2 screenshots. I'm already successfully returning a value to "Radius:IETF:User-name" in my RADIUS output - and that part is working.

 

The problem I have is that in Aruba Instant, and CP Insight, this is still appearing as the MAC address. I'm wondering if there is a different attribute I could use - or a different technique - to achieve this.

Guru Elite
Posts: 8,770
Registered: ‎09-08-2010

Re: Clearpass - How to return a CP guest username when using MAC caching

jharb,

 

What version of Instant code are you running?

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 27
Registered: ‎05-20-2013

Re: Clearpass - How to return a CP guest username when using MAC caching

6.2.1.0-3.4.0.1_39461

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Clearpass - How to return a CP guest username when using MAC caching

Would you happen to know the syntax of returning a value that is listed as an attribute under the endpoint ?
Guru Elite
Posts: 8,770
Registered: ‎09-08-2010

Re: Clearpass - How to return a CP guest username when using MAC caching

[ Edited ]

Here's an example of returning the username attached to endpoint record back to the controller:

 

%{Endpoint:Username}

 

You should be able to substitute Username for any of the attributes.

 

endpoint-variable.PNG


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Clearpass - How to return a CP guest username when using MAC caching

I'm experiencing the same issue on a controller running 6.1.3.7.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Guru Elite
Posts: 21,530
Registered: ‎03-29-2007

Re: Clearpass - How to return a CP guest username when using MAC caching


thecompnerd wrote:

I'm experiencing the same issue on a controller running 6.1.3.7.


It requires ArubaOS 6.2 and above...

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba
Posts: 1,296
Registered: ‎08-29-2007

Re: Clearpass - How to return a CP guest username when using MAC caching

I have tried this with a controller and it works fine, but not so with the Instants.

 

I see the username being returned in the Radius-accept, but on the instant, it still shows the mac.

 

Instant AP225 - 6.3.1.1-4.0.0.1

 

CPPM - 6.2.0


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
Search Airheads
Showing results for 
Search instead for 
Did you mean: