Security

Hi,

 

With MAC auto fill on the MACtrac device page, it is possible for a user to register it´s device without knowing the MAC address.

 

If the user has registered the device, is it possible to send a CoA for that MAC so that the device will go into the role for registered devices?

 

Thanks,

Christian

Device Registration is commonly used for headless devices. Is that not the case in your environment?

Maybe my wording was wrong.

What is the name for device self registration by a user?

 

Our workflow is that the user connects to the Guest SSID with the device that should get registered.

On the Guest captive Portal page is a link to the Device registration page.

The user needs to login with AD credentials and can then register the device. The MAC of the device is already filled.

 

When the user has entered the name of the device and clicked on Submit, the device is registered but the user is still in the to-be-registered role. A CoA could drop the device and make it authenticate with MAC auth next time.

 

As we couldn´t find a way to make this work, we tell the users to connect to another SSID which only does MAC auth for registered devices.

This is what I would like to remove.

So these are standard user devices with a browser (Win, Android, Mac, iOS) or headless/IoT devices like Chromecasts, printers, Apple TVs, game console, etc?

Device registration can be used for both but it's really designed for the latter.

Aftet a device registered, so you see a WEBAUTH request in ClearPass?

Standard devices.

 

You are right. there is a WEBAUTH entry that seems to do the CoA.

 

Is this the way it works?

 

Then we need to check why the CoA isn´t working.

You need to create a WEBAUTH service to handle those requests with a Disconnect or CoA profile.

I posted an example here yesterday: http://community.arubanetworks.com/t5/Security/CoA-on-EndPoint-Change/m-p/302483#M32727

Just out of my own curiosity, why are you using device registration for regular devices instead of 802.1X?

We have that WEBAUTH and it triggers after a device registration.

But it seems there is no CoA sent to the controller.

How does CPPM know to which controller it needs to send the CoA?

The "Access Device IP/Port:" Field is empty in Access Tracker.

 

This is a BYOD use case.

 

We looked into CPPM onboard but decided for MACtrac.

802.1x wasn´t looked at right now. We might do so later.

 

Thanks,

Christian

 

 

Do you have RADIUS accounting enabled?

In access tracker on the webauth request, is there a CoA tab?

Enabling Radius accounting and configuring rfc-3576 did the trick.

The WEBAUTH does now sends a CoA and the device authentictes next time with the Guest MAC service.

 

Last thing that is missing is to return the sponsor name as username to

the controller to replace the MAC in "show user".

Returning

Radius:IETF

User-Name

=

%{Endpoint:Username}

doesn´t work as the Endoint doesn´t have any attributes.

Standard Guest devices have all kinds of attributes.

The sponsor name would be the user who has registered the device via MACtrac.

 

How can we add the attributes to the device?

 

Thanks,

Christian

%{Authorization:[Guest Device Repository]:SponsorName}

That works. Thanks!

 

During my testing, I noticed that some times the CoA isn´t sent.

When this happens there is no Radius Response entry under the Output tab in Access Tracker for the WEBAUTH event.

If the CoA is sent, there is the Radius:IETF:Calling-Station-Id attribute with the client mac in Access Tracker.

 

I have attached the logs when it doesn´t work and when it works.

 

Time for a TAC case?

 

Thanks,

Christian

 

 

The best place to look is the device's last RADIUS authentication in Access Tracker. Is there a CoA tab after Output?

 

From the logs you attached, it looks like there is no active session for that MAC address so the disconnect message isn't crafted/sent.

When the radius mac auth succeeds there is a CoA tab.

 

Could it be that the RADIUS Accounting message takes some time to be sent to CPPM? And without, there is no session in CPPM and no CoA sent?

 

Potentially, but I've never seen that happen. Guess it's best to open a TAC case.

That is solved.

 

We are using MACtrac in combination with guest mac caching.

The initial MAC auth of the device that should be registered, need to be accepted by clearpass. By default it is rejected.

When it is accepted and a captive portal role is pushed, the CoA follogin the reistering of the device works then reliable.

---

@cappalli wrote:
So these are standard user devices with a browser (Win, Android, Mac, iOS) or headless/IoT devices like Chromecasts, printers, Apple TVs, game console, etc?

Device registration can be used for both but it's really designed for the latter.

Aftet a device registered, so you see a WEBAUTH request in ClearPass?

---

Should you also see a WEBAUTH when creating a Guest Account through the api with CoA set as true? I am not seeing the WEBAUTH on CPPM 6.6.x.

Device registration, yes. Guest account, no.

---

@cappalli wrote:
Device registration, yes. Guest account, no.

---

That is the purpose of the CoA flag when creating a guest account using POST then? API Explorer says:

 

Just an oversight. I’ll get it removed.

Dynamic Authorization would provide no value when creating a guest account.

If a user is self-registering, the CoA could serve to log them in much like tle login button already in the CPPM Guest self-registration process.

That would be handled by the out of box NAS configuration.