Security

Hi Guys,

We are implementing guest access to our wired network. So, we have configured 802.1x, MAB (Mac address bypass authentication) in switch ports to authenticate the users connecting to it.

So, if a user connects to a switchport and if he fails in both 802.1x and MAB, he is treated as guest user and should be given clearpass guest portal web login page (to create his own account to login).

Normally in CISCO ISE, we have an option to use 'If user_not_found in MAB, ISE will not fail MAB, rather it will send redirect url (of ISE guest portal) to switch to ask the user to login to the guest portal page'. [You could refer to page 4 of the attached document)

So, in clearpass, do we have an option like 'If the user is failing MAB, the clearpass sends the re-direct url to the switch to make the user login to clearpasss guest portal'? I don't find one because if he is failing MAB, the only option we're left is to use switch's internal web page (web-auth - fallback method for MAB).

Any service/enforcement policy needs to be created for this to accomplish? Please help.

Thanks,
Bharani.....

Attachment(s)

113362-config-web-auth-ise-00.pdf   1.08 MB 1 version

Yes you can send back a ACL with a url redirect, along with a vlan in your mac auth service for unknown devices

Sample ACL

Sample enforcement

Hi Troy,

Thank you for quick answer. But this enforcement policy and profiles will be applied only when the client is being authenticated by anyone of the authentication sources right?

Because in our case, the new user will not be getting authenticated by either guest_user_repository or any sources. So, eventually we're getting MAC AUTH TEST failure (user not found) and policies are not enforced.

But the requirement is even though the user's MAC address is not known by clearpass, it should be sending ACL abd redirect to switch which is not happening in our case :(

What authentication source should I use in this case? How to proceed this?

Thanks,

Bharani.....

When the user fails .1x the device will be authenticated with MAB and instead of sending a reject you can catch all unknown devices and put them to the captive portal.

You can use the endpoints database as an auth source and use the guest user/device repositories as a Authorization for the role mapping. 

Here are a few screen shots. You can work with your local SE and he can show you an example in our lab.

Hi Troy,

I think this is exactly what I'm looking for! I'll give a try on this on Monday and let you know the result.

Thanks,

Bharani...

hi bharani

i have the same issue as your mentioned. i just build the environment with cisco swicth and clearpass for web authentication. follow the adive, i set the authentication methods  "allow all mac auth" for the unknown mac continueing to go to web-auth. but the switch does not receive the redirect url. it seems just like the mab authentication is pass.

Do i miss some configuration on clearpass? thanks

switch result:

bogon#show authentication sessions interface GigabitEthernet0/20
Interface: GigabitEthernet0/20
MAC Address: 089e.019e.ccfe
IP Address: 10.10.51.129
User-Name: 089e019eccfe
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A33CD000000AD01EB0EE4
Acct Session ID: 0x00000094
Handle: 0x030000AE

Runnable methods list:
Method State
mab Authc Success

---

@mikek wrote:

hi bharani

 

i have the same issue as your mentioned. i just build the environment with cisco swicth and clearpass for web authentication. follow the adive, i set the authentication methods  "allow all mac auth" for the unknown mac continueing to go to web-auth. but the switch does not receive the redirect url. it seems just like the mab authentication is pass.

Do i miss some configuration on clearpass? thanks

 

switch result:

bogon#show authentication sessions interface GigabitEthernet0/20
Interface: GigabitEthernet0/20
MAC Address: 089e.019e.ccfe
IP Address: 10.10.51.129
User-Name: 089e019eccfe
Status: Authz Success
Domain: DATA
Security Policy: Should Secure
Security Status: Unsecure
Oper host mode: multi-auth
Oper control dir: both
Authorized By: Authentication Server
Vlan Policy: N/A
Session timeout: N/A
Idle timeout: N/A
Common Session ID: 0A0A33CD000000AD01EB0EE4
Acct Session ID: 0x00000094
Handle: 0x030000AE

 

Runnable methods list:
Method State
mab Authc Success

---

Hi Mikek,

Did you get to make this work? Running into a similar issue here.

Hi Troy,

Yes, I've test your settings, I can authenticate myself successfully even the authentication source is none. Just a small question. When we add in the authorization source, do we need to add in all these 4 provided by you? Or you we just need to add in endpoint plus guest device repo?

*Mar 5 04:32:44.985: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511
*Mar 5 04:32:44.985: %AUTHMGR-5-START: Starting 'mab' for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511
*Mar 5 04:32:45.027: %MAB-5-SUCCESS: Authentication successful for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511
*Mar 5 04:32:45.027: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511
*Mar 5 04:32:46.067: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511

Shawn

It all depends on if you are doing time or bandwidth restrictions.

Its not required but I'm using the insight and endpoints database for post auth checks.

Bharani,

You can clone the MAC auth authentication method and in your copy you can enable "Allow Unknown End-Hosts".

HI Joseph,

Thanks for your reply. I'll get back to you on monday.. 

Hi Troy,

Could you share the Cisco config that you used to get this working? Also, is this functionality supported in IOS 12.2+, or do you need version 15+?

Thanks!

-Mike

Min version is 12.2

########Apply this to your switch###########
                                                                                                                                       
aaa new model
!
aaa authentication dot1x default group radius local
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
!
!
aaa server radius dynamic-author
 client 10.xx.xx.xxx server-key 0 test123
 port 3799
 auth-type all
!
aaa session-id common
vtp mode transparent
ip routing
ip domain-name arubademo.net
ip name-server 10.xx.xx.xxx
ip name-server 10.xx.xx.xxx
!
!
ip device tracking
!
!
dot1x system-auth-control
!
!
!
!
vlan 201
!
!
!
!
interface Vlan1
 ip address <vlan1_provided_ipaddr> 255.255.248.0
!
interface Vlan200
 description "user_vlan"
 ip address <vlan200_provided_ipaddr> 255.255.254.0
!
interface Vlan201
 description "quarantine_vlan"
 ip address <vlan201_provided_ipaddr> 255.255.254.0
!
ip route 0.0.0.0 0.0.0.0 10.xx.xx.1
ip classless
ip http server
ip http secure-sever
!
!
ip access-list extended Onboard-ACL 
 deny   tcp any 216.115.208.0 0.0.15.255
 deny   tcp any 216.219.112.0 0.0.15.255
 deny   tcp any 66.151.158.0 0.0.0.255
 deny   tcp any 66.151.150.160 0.0.0.31
 deny   tcp any 66.151.115.128 0.0.0.63
 deny   tcp any 64.74.80.0 0.0.0.255
 deny   tcp any 202.173.24.0 0.0.7.255
 deny   tcp any 67.217.64.0 0.0.31.255
 deny   tcp any 78.108.112.0 0.0.15.255
 deny   tcp any 206.183.100.0 0.0.7.255
 deny   tcp any 68.64.0.0 0.0.31.255
 deny   tcp any 173.199.0.0 0.0.63.255
 deny   tcp any 103.15.16.0 0.0.3.255
 deny   tcp any 180.153.30.0 0.0.1.255
 permit tcp any any
!
!
radius-server host 10.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 0 test123
radius-server vsa send authentication
!
!
ntp clock-period 36029439
ntp server 10.xx.xxx.101

##############Apply this to your uplink interface (replace X/X/X below)#################

interface FastEthernetX/X/X
 description "Uplink to test Lab" 
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,200,201
 switchport mode trunk
 spanning-tree portfast trunk

##############Apply this to your user interfaces (replace X/X/X below)#################
                                                                                                                                      
interface FastEthernetX/X/X
 switchport access vlan 200
 switchport mode access
 authentication event no-response action authorize vlan 201
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 20
 dot1x timeout supp-timeout 20
 dot1x max-reauth-req 1
 spanning-tree portfast

Troy,

One more question about your configuration. You have the following line set on the interface:

authentication timer reauthenticate server

How are you sending back the reauthentication timer from Clearpass to the server? I'm doing something similar right now, so just curious.

Thanks!

-Mike

In the enforcement you change the session-timeout. For example in this one I changed it to 3600 sec which is every hour.

Troy,

You know it's funny, I've only changed the VLAN number in the default VLAN policy - I've never actually read the other fields.

Thanks for that pointing that out!

-Mike

Hi everyone,

I'm working on the same task as you do (wired centralized web-auth like Cisco ISE)

My service setup is like your (allow all mac-auth, url redirect returned, user's http traffic redirected, credentials are posted, etc. - it's OK), but I have next trouble:

When guest account expires, exsisting session are not disconnected automatically :( ,while If I do this manually (from Guest app ->actice sessions -> disconnect) - it works

CPPM version - 6.2.4

Cisco catalyst 3750-x IOS 12.2(55)SE3

I also attached services, which I use (.xml)

Can you advice anything?

thanks )

Would be awsome if the OP could post screens for the service and all related components for the end-result that seems to be working. Any chance that happening? :)

Agree :)

This would be great !

Hi ,

While doing the wired guest self registration with Aruba switch , User connect and re-direct to the capitive portal, User register the required field and submitting the credential to validate the clearpass server .

How the user request is catergorized into clearpass service web authentication and hit the service and authenticate .

Can anyone please help me on this

---

@Bharani wrote:

Hi Guys,

 

We are implementing guest access to our wired network. So, we have configured 802.1x, MAB (Mac address bypass authentication) in switch ports to authenticate the users connecting to it.

 

So, if a user connects to a switchport and if he fails in both 802.1x and MAB, he is treated as guest user and should be given clearpass guest portal web login page (to create his own account to login).

 

Normally in CISCO ISE, we have an option to use 'If user_not_found in MAB, ISE will not fail MAB, rather it will send redirect url (of ISE guest portal) to switch to ask the user to login to the guest portal page'. [You could refer to page 4 of the attached document)

 

So, in clearpass, do we have an option like 'If the user is failing MAB, the clearpass sends the re-direct url to the switch to make the user login to clearpasss guest portal'? I don't find one because if he is failing MAB, the only option we're left is to use switch's internal web page (web-auth - fallback method for MAB).

 

Any service/enforcement policy needs to be created for this to accomplish? Please help.

 

Thanks,
Bharani.....

 

---

The wired captive portal authentication is different from the wireless one. In the guest page use the vendor "Hewlett Packard Enterprise" and set the Pre-Auth check to none



There should be a request in the access tracker.

The service within policy manager should be set to Web based authentication type.
In the service rules you can use the following

Hi ,

Yes i selected NAS setting as HP Enterprise and pre-auth check is unchecked .

And service side -- > Web auth

HoST - - > CHEK TYPE --- > EQUALS --- > Authentication ..

And not included the guest page in service , only one rule in service

Can please explain the workflow , user submitting the credntial with capitive portal the request is classified as web auth service and hitting the CPPM server .

Ans i see this in access tracker ..