Security

Reply
New Contributor

Clearpass + WLC + Eduroam + AUP/Captive Portal

Hi all,

 

I've already emailed my local SE, but figured I'd post here to see if any airheads have any quick ideas;

 

My client wants their students to accept their AUP on a yearly basis. My original thought was over an open Guest SSID and use an endpoint attribute flag when the agreement has been accepted and when it needs to be re-accepted. Easy.

 
Then they mentioned that they were looking to do this all over EDUROAM. Now, I’m new to EDUROAM but quickly found that it is essentially 802.1X authentication over its own federated RADIUS servers, etc. Students can visit other institutions that are not their primary institution and log into the EDUROAM SSID using the credentials of their home institution.
 
This kind of threw a wrench into the idea due to 802.1X, and authentication happening at L2. The only potential idea I had would be to use a conditional web redirect on the WLC, redirecting the client to the AUP page if they haven’t accepted, or allowing them through if they have. Some of you probably know conditional web redirects are common when doing single-SSID onboarding (auth type = PEAP -> send to onboarding page), and works with 802.1X SSIDs as well.
 
I'm curious if layering a conditional web redirect onto the EDUROAM SSID would be a workable solution or if this would cause issues with EDUROAM. I've read that some institutions use EDUROAM as their primary secure wireless network and so some advanced policy capability has to be possible within the EDUROAM framework. Unfortunately I am new EDUROAM, and don't have the resources in which to test this at the moment.
 
Any thoughts/suggestions are welcome. Thanks.
Tim Friesen
ACMP, ACCP, CWNA/DP/SP/AP
Guru Elite

Re: Clearpass + WLC + Eduroam + AUP/Captive Portal

This is a fairly common scenario. You'd just add a rule to the service handling the eduroam local users (the university) that checks the endpoint for a timestamp to see if the current date is greater than it. Then put the user into a captive portal role, have them accept the terms, stamp a new now + 1 year timestamp to the endpoint.

 

What vendor is the WLC?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Clearpass + WLC + Eduroam + AUP/Captive Portal

That's pretty much exactly what I thought.

 

Vendor on the WLC is Cisco.

 

Thanks for the confirmation Tim!

New Contributor

Re: Clearpass + WLC + Eduroam + AUP/Captive Portal

One additional comment... Eduroam has some restrictions on what they want you doing with visiting users, so if you do start integrating captive portals and redirects, etc, make sure to only do it to *your* users.

 

 

New Contributor

Re: Clearpass + WLC + Eduroam + AUP/Captive Portal

Thanks Bogenbroom.

 

I sort of gathered that based on Tim's reply, but that's good to know definitively.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: