Security

Reply
Contributor I

CoA after MACtrac device registering

Hi,

 

With MAC auto fill on the MACtrac device page, it is possible for a user to register it´s device without knowing the MAC address.

 

If the user has registered the device, is it possible to send a CoA for that MAC so that the device will go into the role for registered devices?

 

Thanks,

Christian

Guru Elite

Re: CoA after MACtrac device registering

Device Registration is commonly used for headless devices. Is that not the case in your environment?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CoA after MACtrac device registering

Maybe my wording was wrong.

What is the name for device self registration by a user?

 

Our workflow is that the user connects to the Guest SSID with the device that should get registered.

On the Guest captive Portal page is a link to the Device registration page.

The user needs to login with AD credentials and can then register the device. The MAC of the device is already filled.

 

When the user has entered the name of the device and clicked on Submit, the device is registered but the user is still in the to-be-registered role. A CoA could drop the device and make it authenticate with MAC auth next time.

 

As we couldn´t find a way to make this work, we tell the users to connect to another SSID which only does MAC auth for registered devices.

This is what I would like to remove.

Guru Elite

Re: CoA after MACtrac device registering

So these are standard user devices with a browser (Win, Android, Mac, iOS) or headless/IoT devices like Chromecasts, printers, Apple TVs, game console, etc?

Device registration can be used for both but it's really designed for the latter.

Aftet a device registered, so you see a WEBAUTH request in ClearPass?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CoA after MACtrac device registering

Standard devices.

 

You are right. there is a WEBAUTH entry that seems to do the CoA.

 

Is this the way it works?

 

Then we need to check why the CoA isn´t working.

Guru Elite

Re: CoA after MACtrac device registering

You need to create a WEBAUTH service to handle those requests with a Disconnect or CoA profile.

I posted an example here yesterday: http://community.arubanetworks.com/t5/Security/CoA-on-EndPoint-Change/m-p/302483#M32727

Just out of my own curiosity, why are you using device registration for regular devices instead of 802.1X?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CoA after MACtrac device registering

We have that WEBAUTH and it triggers after a device registration.

But it seems there is no CoA sent to the controller.

How does CPPM know to which controller it needs to send the CoA?

The "Access Device IP/Port:" Field is empty in Access Tracker.

 

This is a BYOD use case.

 

We looked into CPPM onboard but decided for MACtrac.

802.1x wasn´t looked at right now. We might do so later.

 

Thanks,

Christian

 

 

Guru Elite

Re: CoA after MACtrac device registering

Do you have RADIUS accounting enabled?

In access tracker on the webauth request, is there a CoA tab?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I

Re: CoA after MACtrac device registering

Enabling Radius accounting and configuring rfc-3576 did the trick.

The WEBAUTH does now sends a CoA and the device authentictes next time with the Guest MAC service.

 

Last thing that is missing is to return the sponsor name as username to

the controller to replace the MAC in "show user".

Returning

Radius:IETF

User-Name=%{Endpoint:Username}

doesn´t work as the Endoint doesn´t have any attributes.

Standard Guest devices have all kinds of attributes.

The sponsor name would be the user who has registered the device via MACtrac.

 

How can we add the attributes to the device?

 

Thanks,

Christian

Guru Elite

Re: CoA after MACtrac device registering

%{Authorization:[Guest Device Repository]:SponsorName}

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: