Security

Reply
Occasional Contributor II
Posts: 11
Registered: ‎02-14-2014

Differentiate two web login authentication

Hi,

 

I have a Clearpass 6.3.4.64924 and I'm making modifications on two web login pages I'm using. Both are used as Captive Portal for guest or employes personal device registration.

 

I ran into a road block after modifying the second web login: when I change the login method to Server-initiated, the WEBAUTH authentication is used the service from the other web login (that I don't want). So here is how it is setup:

 

Web Login #1: Employes device

Vendor: Aruba Networks

Login Method: Server-initiated

Authentication: Credentials

Pre-Auth Check: Radius

 

Web Login #2: Guest

Vendor: Aruba Networks

Login Method: Controller-initated

Authentication: Crendentials

Pre-Auth Check: Radius

 

So, web login #1 works fine, the radius and webauth requests goes through. Web login #2 is working in the controller-initiated mode, but as soon as I change it to server-initiated, the initial radius request goes through without a problem, but the webauth request doesn't work because it use the web login #1 webauth service. I've tried to find what string I have to put in the service rule to differentiate both requests, but it seems there is none.

 

Is someone has already seen this issue? Unfortunately, I cannot use the same service for both system as I don't want to mix corporate stuff with guest. Let me know if you need more information.

 

Thank you

 

Jo

MVP
Posts: 4,126
Registered: ‎07-20-2011

Re: Differentiate two web login authentication

I understand you dont want to use the same service but you create a enforcement policy that actually has a logic for both and that shouldn't conflict with either setup 

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Guru Elite
Posts: 8,056
Registered: ‎09-08-2010

Re: Differentiate two web login authentication

You should receive the name of the registration page in the RADIUS input tan in ClearPass. You can key off that.

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 11
Registered: ‎02-14-2014

Re: Differentiate two web login authentication

Hi Victorfabian,

 

thank you for your quick reply. I would really want to be able to differentiate them from the web login portal used (as other type of authentication will do), so I don't have to rely on what authentication source or other information.

 

Maybe I'm been too strict in my design, but I really want to seperate corporate stuff and guest.

 

Thank you

 

Jo

Occasional Contributor II
Posts: 11
Registered: ‎02-14-2014

Re: Differentiate two web login authentication

Hi Cappalli,

 

thank you for your quick reply. Currently, my problem is not at the radius request, but the webauth request the web login is doing. If there would be the same kind of key as the radius request (Radius:Aruba:Aruba-Port-ID), that would solve my problem. Here are the computed attributes a webauth request has:

 

Authentication:Full-Usernameusername
Authentication:Full-Username-Normalizedusername
Authentication:PostureUnknown
Authentication:SourceAuth source
Authentication:StatusUser
Authentication:Usernameusername
Authorization:SourcesAutho source
Connection:Client-IP-Address192.168.0.x
Connection:Client-Mac-Address000000000000
Connection:Client-Mac-Address-Colon00:00:00:00:00:00
Connection:Client-Mac-Address-Dot0000.0000.0000
Connection:Client-Mac-Address-Hyphen00-00-00-00-00-00
Connection:Client-Mac-Address-NoDelim000000000000
Connection:Client-Mac-VendorApple
Connection:ProtocolWEBAUTH
Connection:Src-IP-Address127.0.0.1
Date:Date-of-Year2014-07-28
Date:Date-Time2014-07-28 12:41:41
Date:Day-of-WeekMonday
Date:Time-of-Day12:41:41
Endpoint:Rolesome role
Endpoint:Usernameusername
Host:CheckTypeAuthentication

 

Thank you

 

Jo

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Differentiate two web login authentication

I think the solution here is to go by the Connection:Client-IP-Address. So you will have to make sure your clients end up on different VLANS/Subnets When they use the WebAuth.  I never did see the Page name but I might not have something set correctly. 

 

Occasional Contributor II
Posts: 11
Registered: ‎02-14-2014

Re: Differentiate two web login authentication

Hi sdr53,

 

yeah, that could be an idea. I would still prefer to filter by page name but this is possible.

 

I will be opening a TAC ticket, will reply whith their answer.

 

Jo

Guru Elite
Posts: 8,056
Registered: ‎09-08-2010

Re: Differentiate two web login authentication

So doing something like this didn't work for you?

 

weblogin-page.JPG


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Occasional Contributor II
Posts: 11
Registered: ‎02-14-2014

Re: Differentiate two web login authentication

Hi Cappalli,

 

sorry for the delay. Unfortunately, that doesn't work because it doesn't apply to a webauth, but for an application authentication service. If you setup a web login with authentication credentials and pre-auth check app auth, the first authentication request will be an app authentication, the one you describe bellow with the rules. The second would be the webauth authentication that is where my problem is. This is the options I have when I setup a service in web auth:

 

2014-08-13 17_58_00-ClearPass Policy Manager - Aruba Networks.png

 

I've contacted TAC and they weren't able to give me an answer for that. They have also recommended I use this specific web login in controller initiated mode as it's for guest with MAC caching ( I had some issues with it that they have helped me to resolved).

 

Anyway, still a mystery. Will continue to figure out a way to do it, but at least my guest login is not working as expected.

 

Thx everyone :)

Frequent Contributor II
Posts: 122
Registered: ‎01-19-2013

Re: Differentiate two web login authentication

Thanks for Sharing your responce,

 

I had to use Web-auth because of the On-guard intergration with CPPM Guest. I don't have the requirement of different authentcation sources. Hopefully you will find a Work-around for what you are trying to acomplish and hopefully its not too complicated.

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: