Security

Reply
Contributor II
Posts: 58
Registered: ‎08-19-2013

Clearpass guest access portal - MAB - web authentication

[ Edited ]

Hi Guys,

 

We are implementing guest access to our wired network. So, we have configured 802.1x, MAB (Mac address bypass authentication) in switch ports to authenticate the users connecting to it.

 

So, if a user connects to a switchport and if he fails in both 802.1x and MAB, he is treated as guest user and should be given clearpass guest portal web login page (to create his own account to login).

 

Normally in CISCO ISE, we have an option to use 'If user_not_found in MAB, ISE will not fail MAB, rather it will send redirect url (of ISE guest portal) to switch to ask the user to login to the guest portal page'. [You could refer to page 4 of the attached document)

 

So, in clearpass, do we have an option like 'If the user is failing MAB, the clearpass sends the re-direct url to the switch to make the user login to clearpasss guest portal'? I don't find one because if he is failing MAB, the only option we're left is to use switch's internal web page (web-auth - fallback method for MAB).

 

Any service/enforcement policy needs to be created for this to accomplish? Please help.

 

Thanks,
Bharani.....

 

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Clearpass guest access portal - MAB - web authentication

Yes you can send back a ACL with a url redirect, along with a vlan in your mac auth service for unknown devices

 

 

Sample ACL

 

ciscoredirect.png

 

 

 

Sample enforcement

 

 

ciscomab.png

 

 

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Contributor II
Posts: 58
Registered: ‎08-19-2013

Re: Clearpass guest access portal - MAB - web authentication

Hi Troy,

 

Thank you for quick answer. But this enforcement policy and profiles will be applied only when the client is being authenticated by anyone of the authentication sources right?

 

Because in our case, the new user will not be getting authenticated by either guest_user_repository or any sources. So, eventually we're getting MAC AUTH TEST failure (user not found) and policies are not enforced.

 

But the requirement is even though the user's MAC address is not known by clearpass, it should be sending ACL abd redirect to switch which is not happening in our case :(

 

What authentication source should I use in this case? How to proceed this?

 

Thanks,

Bharani.....

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Clearpass guest access portal - MAB - web authentication

When the user fails .1x the device will be authenticated with MAB and instead of sending a reject you can catch all unknown devices and put them to the captive portal.

 

You can use the endpoints database as an auth source and use the guest user/device repositories as a Authorization for the role mapping. 

 

Here are a few screen shots. You can work with your local SE and he can show you an example in our lab.

 

ciscoguest3.png

 

 

 

 

 

 

 

ciscoguest1.png

ciscoguest2.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

Re: Clearpass guest access portal - MAB - web authentication

Bharani,

 

You can clone the MAC auth authentication method and in your copy you can enable "Allow Unknown End-Hosts".



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor II
Posts: 58
Registered: ‎08-19-2013

Re: Clearpass guest access portal - MAB - web authentication

Hi Troy,

 

I think this is exactly what I'm looking for! I'll give a try on this on Monday and let you know the result.

 

 

Thanks,

Bharani...

Contributor II
Posts: 58
Registered: ‎08-19-2013

Re: Clearpass guest access portal - MAB - web authentication

HI Joseph,

 

Thanks for your reply. I'll get back to you on monday.. 

MVP
Posts: 366
Registered: ‎01-14-2010

Re: Clearpass guest access portal - MAB - web authentication

Hi Troy,

 

Could you share the Cisco config that you used to get this working? Also, is this functionality supported in IOS 12.2+, or do you need version 15+?

 

Thanks!

 

-Mike

Aruba
Posts: 1,536
Registered: ‎06-12-2012

Re: Clearpass guest access portal - MAB - web authentication

Min version is 12.2

 

########Apply this to your switch###########
                                                                                                                                       
aaa new model
!
aaa authentication dot1x default group radius local
aaa authorization network default local group radius
aaa authorization auth-proxy default group radius
aaa accounting dot1x default start-stop group radius
!
!
aaa server radius dynamic-author
 client 10.xx.xx.xxx server-key 0 test123
 port 3799
 auth-type all
!
aaa session-id common
vtp mode transparent
ip routing
ip domain-name arubademo.net
ip name-server 10.xx.xx.xxx
ip name-server 10.xx.xx.xxx
!
!
ip device tracking
!
!
dot1x system-auth-control
!
!
!
!
vlan 201
!
!
!
!
interface Vlan1
 ip address <vlan1_provided_ipaddr> 255.255.248.0
!
interface Vlan200
 description "user_vlan"
 ip address <vlan200_provided_ipaddr> 255.255.254.0
!
interface Vlan201
 description "quarantine_vlan"
 ip address <vlan201_provided_ipaddr> 255.255.254.0
!
ip route 0.0.0.0 0.0.0.0 10.xx.xx.1
ip classless
ip http server
ip http secure-sever
!
!
ip access-list extended Onboard-ACL 
 deny   tcp any 216.115.208.0 0.0.15.255
 deny   tcp any 216.219.112.0 0.0.15.255
 deny   tcp any 66.151.158.0 0.0.0.255
 deny   tcp any 66.151.150.160 0.0.0.31
 deny   tcp any 66.151.115.128 0.0.0.63
 deny   tcp any 64.74.80.0 0.0.0.255
 deny   tcp any 202.173.24.0 0.0.7.255
 deny   tcp any 67.217.64.0 0.0.31.255
 deny   tcp any 78.108.112.0 0.0.15.255
 deny   tcp any 206.183.100.0 0.0.7.255
 deny   tcp any 68.64.0.0 0.0.31.255
 deny   tcp any 173.199.0.0 0.0.63.255
 deny   tcp any 103.15.16.0 0.0.3.255
 deny   tcp any 180.153.30.0 0.0.1.255
 permit tcp any any
!
!
radius-server host 10.xxx.xxx.xxx auth-port 1812 acct-port 1813 key 0 test123
radius-server vsa send authentication
!
!
ntp clock-period 36029439
ntp server 10.xx.xxx.101

##############Apply this to your uplink interface (replace X/X/X below)#################

interface FastEthernetX/X/X
 description "Uplink to test Lab" 
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1,200,201
 switchport mode trunk
 spanning-tree portfast trunk

##############Apply this to your user interfaces (replace X/X/X below)#################
                                                                                                                                      
interface FastEthernetX/X/X
 switchport access vlan 200
 switchport mode access
 authentication event no-response action authorize vlan 201
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 20
 dot1x timeout supp-timeout 20
 dot1x max-reauth-req 1
 spanning-tree portfast

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
New Contributor
Posts: 3
Registered: ‎09-12-2013

Re: Clearpass guest access portal - MAB - web authentication

Hi Troy,

 

Yes, I've test your settings, I can authenticate myself successfully even the authentication source is none. Just a small question. When we add in the authorization source, do we need to add in all these 4 provided by you? Or you we just need to add in endpoint plus guest device repo?

 

*Mar 5 04:32:44.985: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511
*Mar 5 04:32:44.985: %AUTHMGR-5-START: Starting 'mab' for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511
*Mar 5 04:32:45.027: %MAB-5-SUCCESS: Authentication successful for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511
*Mar 5 04:32:45.027: %AUTHMGR-7-RESULT: Authentication result 'success' from 'mab' for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511
*Mar 5 04:32:46.067: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0015.5882.8823) on Interface Fa0/2 AuditSessionID 0AA7DC2F000000381592C511

 

Shawn

Search Airheads
Showing results for 
Search instead for 
Did you mean: