Security

Reply
Contributor I
Posts: 25
Registered: ‎03-27-2015

Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

Hello,

 

I have a client running Guest on CPPM 6.6 and a Cisco WLC (v. 8.0.121.0).

 

As the subject outlines, expired guest accounts are still able to connect. I created the services using the templates. Default policy is for 4 hour access, access-code based, so a user need only enter their contact information and then hit 'submit' to gain access to the internet. After 4 hours however, they are not logged out, and if the device disconnects and then reconnects at a later time, they are still granted access.

 

SSID is configured w/ MAC filtering, upon failure it will redirect to captive portal landing page.

 

Reject Packet Delay on CPPM is set to 0.

 

Attached are screenshots of the config.

 

SSID:

L2.png

L3.png

 

Guest Service:

guest roles.png

Guest Enforce.png

MAC auth service:

MAB auth.png

MAB roles.png

MAB enforce.png

Sample Access Tracker entry:

access tracker.png

 

As you can see, the Captive Portal redirect is being sent from CPPM to the WLC, however the user is still allowed on. In my client's words: "a pop-up appears briefly, but not long enough to actually load the captive portal page", and then he is simply allowed onto the network.

 

The only thing I potentially think could be missing which I haven't tried is

adding a Cisco - Terminate Session to the enforcment on the Guest Access Service as referenced in this post: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/guest-account-expirationguest-account-expiration-with-clearpass/m-p/249351

 

If anyone has any other suggestions, or can confirm the Terminate Session is indeed what is required that would be great.

 

Thanks all.

Frequent Contributor II
Posts: 115
Registered: ‎07-13-2015

Re: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

[ Edited ]

Hi, 

 

without having to integrate the CoA Terminate Session feature, you could just kill the client's session (This user should also be expired on time source - more than 4hours since auth) on the Cisco WLC and then test if he is prompted with the captive portal.

Also, I have low experience on Cisco Wireless but can't you just put deny access on your MAC auth service if the time source caching is expired so then it will receive a MAC auth reject and forward to captive portal by itself ?

ACMP, ACCP, BCNE
Contributor I
Posts: 25
Registered: ‎03-27-2015

Re: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

I did attempt the deny on MAC auth service previously with that intention. It would allow and redirect only on initial connection (endpoint not pre-existing in endpoint database). After initial logon, and the endpoint being added, subsequent MAC authentications would just straight up result in a permanent deny.

MVP
Posts: 4,088
Registered: ‎07-20-2011

Re: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

You can use the Guest User Repository >Expired > True or False to allow access in your enforcement policy


To disconnect the Device you need to enable :
- Accounting
- enable support for RFC 3576 under the RADIUS server to allow the CoA to happen

https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-set-user-account-expiration-with-delete-and-logout-option/ta-p/182962

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 25
Registered: ‎03-27-2015

Re: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

Both are enabled.

MVP
Posts: 4,088
Registered: ‎07-20-2011

Re: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

Do you have the guest user repository > AccountExpired in the role mapping or enforcement policy for Mac auth ?

Did you added the guest user repository as a authorization source ?


Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 25
Registered: ‎03-27-2015

Re: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

Aye, I do. As shown in the screenshots above.

MVP
Posts: 4,088
Registered: ‎07-20-2011

Re: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

Your enforcement policy is not correct.

The second rule is allowing the device to bypass whether the device is enabled or not in the guest user repository



Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor I
Posts: 25
Registered: ‎03-27-2015

Re: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

[ Edited ]

Ok. For the record the second enforcement on that rule sends a Cisco AvPair redirect to send the client to the captive portal page. It was my understanding that the Allow Access had to be there before a client would even be able to be redirected. Though I suppose if they've already been allowed access, they could simply browse away from the captive portal redirect. 

 

I'll do some testing there. Thanks for pointing that out.

Contributor I
Posts: 25
Registered: ‎03-27-2015

Re: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

For the record, I resolved this by changing the MAC failure to a deny when missing the Mac Caching role, rather than the accept and then passing the captive portal redirect. My guess is this is a difference between Cisco and Aruba controllers as the original config was generated from the template.

 

Everything is working now.

 

Thanks!

Search Airheads
Showing results for 
Search instead for 
Did you mean: