Security

I am using Aruba Instant and Clearpass Guest to provide guest and staff wireless access.

Users use the CP Guest captive portal to self-register, then get 30 days seamless access using MAC caching.

The 2 services were based on the standard "Guest MAC Authentication" service template.

All works well. After 30 days, users are shown the captive portal again to re-register. If they register again using the same username the cycle is repeated as expected.

HOWEVER, we are finding if a different username (email address) is used to re-register a particular device, although the initial captive portal login works, the subsequent MAC authentications fails. Consequently after a period of inactivity, the user is always shown the captive portal login page.

Access Tracker shows the cause of the problem. When Instant passes the MAC address for authentication, Clearpass mistakenly evaluates the status of the PREVIOUSLY REGISTERED USERNAME - which has expired - not the new one.

Under Request details -> Computer Attributes, the now expired username for that device is being returned.

So where is Clearpass remembering this username against the MAC address? I was expecting this to be an issue with the Endpoint not being updated with the new username. But that is not the case.

If we look in Endpoints -> Attributes, the correct, newly registered username is there. No sign of the old one.

I've noticed that if I click the "Clear Cache" button that sometimes appears at the bottom of the Endpoint window, the problem is solved.

So far this is the only workaround. Can anyone suggest something I can change to the services to prevent the old cached username from being returned?

I could be completely wrong here, but in your MAC caching service, there will be an Enforcement Policy of 'Do Expire'.

You might need to change it to 'Delete and logout'

Thanks for the reply. 

There are 2 active services:

1. One that handles MAC authentication for users that have previously logged in.

2. One that handles the first login from the captive portal (and writes the username and other values to the Endpoint repository).

This "Guest Do Expire" enforcement profile is applied to the second service, but not the first.

Furthermore, it is currently set to %{GuestUser:do_expire}

But all our accounts have the hidden, enabled field value do_expire set to value 4. So perhaps this has the same effect.

Do you think this might be causing the problem?

Should this profile be applied to the MAC auth service too?

Unfortunately, this question is at the limits of my Clearpass knowledge.

Having said that though, you could try to add the 'do_expire' policy to the mac-auth service.  Easy enough to test by forcing a mac auth, and if there is anything adverse, you can easily remove.

Let me know how it goes.

This issue is continuing to plague our regular wireless guests.

If they consistently use the same e-mail address (username) to re-register a device for guest access, the MAC caching works perfectly.

But, if they re-register a device (whose clearpass guest account has expired after 30 days) using a different e-mail address, MAC caching fails. Somewhere deep in the bowels of the CP database, it won;t forget the previously used username. So when it comes to MAC caching it returns the old (expired) account, and won't let a MAC address to re-connect.

The result is that some users have to type in their username and p/w after every short period of inactivity.

Only workaround is to manually click "clear cache" in the endpoint for an affected user.

Any help gratefully received!

Is your weblogin service writing the username to the endpoint database?

Yes, the correct username (and guest role ID) is written to the endpoint.

If I check the endpoint I see the correct value for each attribute.

The problem is that when this endpoint reconnects, using a MAC address and the MAC authentication service, the username that is returned is NOT always the username I see in the endpoint attribute list! It is a cached username from when the device was first authenticated.

Of course, most users always use the same username for every 30 day access period, so this is not a problem. But for a user who has used a different username, this is a problem. Their previous username has expired so the cached value that is returned, is not a valid login.

Pulling my hair out here...

I THINK your issue might be the amount of devices allowed per users

I something really similar to this the other day