Security

last person joined: 9 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guest Access Captive Portal with MAC Cache and Account Disable.

This thread has been viewed 4 times

  • 1.  Guest Access Captive Portal with MAC Cache and Account Disable.

    Posted Aug 01, 2013 08:35 AM

    ClearPass ver 6.2.0.25546 on CP-VA-500

     

    OK we have MAC cache turned on in the web logins page. and it all works for access.  Guest signs in the first time and gets a MAC account for the endpoint.

     

    My first Question is.  Does the Expiration Date on the MAC account match the Experation date on the Guest Account?

     

    My second question.  When I disable the guest user account I am still seeing the user get access through the endpoints MAC account. Is there a way to stop this?



  • 2.  RE: Guest Access Captive Portal with MAC Cache and Account Disable.

    Posted Aug 01, 2013 08:44 AM

    Did u made your mac db profile on the controller? or on the clearpasss db?



  • 3.  RE: Guest Access Captive Portal with MAC Cache and Account Disable.

    Posted Aug 02, 2013 08:11 AM
    Not 100% sure what your asking - but

    On the controller I set up pretty standard MAC auth - in the AAA profile I used default MAC profile and listed the ClearPass server group - this is the same location captive portal goes to

    On ClearPass I made two services one to process Mac auth and one to process the guest auth .

    I can see the user Mac process the services in access tracker and they show up as known in the endpoints list so they are getting in the endpoints database


  • 4.  RE: Guest Access Captive Portal with MAC Cache and Account Disable.

    Posted Aug 14, 2013 04:24 AM

    I still have not found a solution to this. 

     

    In testing when I disable the guest account on CPPM - the MAC in the endpoints database still allows the guest to authenticate until the original  expiration of the guest account



  • 5.  RE: Guest Access Captive Portal with MAC Cache and Account Disable.

    Posted Aug 21, 2013 07:54 AM

    you could lower the experation time on the MAC entries? or delete it when you disable the account. but beyond that i dont see a nice way to solve this.



  • 6.  RE: Guest Access Captive Portal with MAC Cache and Account Disable.
    Best Answer

    Posted Aug 22, 2013 03:08 PM

    Actually I have found that this has been taken care of in version 6.2 of CPPM/Guest.  Actually in version 6.1.2 (look in release notes) bug fix  corrected the behaviour where CPPM now checks for the original guest account status when authenticating a MAC cached user. Thus if the client disconnects and reconnectes the MAC cache entry is expired if the guest account is expired.  Also in Version 6.2 a bug fix  corrected the behaviour where now when you disable the guest account it sends a CoA record to the RFC-3576 server and will deauthenticate the client.

     

    Also optionally you can chenge the MAC cache timeout from the default of 1 day to hours or even minutes-  this is a rule setting in enforcement. where the rule :  Authorization:[Insight Repository]:Days-Since-Auth LESS_THAN can be changed to other time settings.