02-15-2013 06:39 AM
Consider the scenario where a Clearpass Guestconnect server is authenticating self-registering guests locally, and then backing off "unknown" user login attempts to an external active directory or radius proxy back-end. I've already got this working, but hit a couple of challenges.
Also note quite importantly that we're making use of mac-caching in this case, and limiting the device count to 1 per user.
When an AD user connects, they authenticate into AD just fine. In addition, a mac-cache device gets added (good so far). The AD user themselves however, is not added dynamically to the local user account list. As a consequnce of this, if the user turns off their device, and then later connects another device using the same AD credentials (assuming the active session has timed-out), they can "work-around" the device limit we've imposed on the system of 1.
Does anybody know if there is a function to have Clearpass Guestconnect automatically "inherit" or "import" a user account when it leverages an external/back-end server? I can't think of a reason this wouldn't be feasible, as the password is carried by PAP in this case?
Also, for more kudos, is there a way to stop Clearpass backing off the mac-auth attempts to a back-end/external server? I.e. the mac-auth is key to the mac-caching obviously, but ideally you only want these to be processed by Clearpass, and not handed off (as it appears to do when an external server is added).
Any thoughts please?
02-19-2013 05:46 AM - edited 02-19-2013 05:49 AM
Assuming you have a different SSID for guest vs. Corporate users,split the service into two services that have different rules based on SSID they come from:
In addition, you can check to see if it is an incoming mac authentication by comparing the Client-mac-address to username by using rule #2 below:
I am QUITE sure that I did not answer all of your questions, but I still want to give you a direction..
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
02-21-2013 12:28 AM
I probably should have mentioned (sorry), that in this case, it's Clearpass GC 3.9 (Amigopod original looking).
Basically, this is because it's the Dell OEM version in use, and this is there most current version they (or rather you) port. I'm having some dialogue with Dell and Aruba TAC guys about where we ought to go with this next!