Security

last person joined: 14 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Guidance with MAB and ClearPass Captive Portal for Wired Connection.

This thread has been viewed 30 times

  • 1.  Guidance with MAB and ClearPass Captive Portal for Wired Connection.

    Posted Apr 20, 2018 04:19 PM

    Hello All, 

     

    As the subject says I would like some guidance setting up ClearPass to be used with our Cisco switches. The goal is to use MAB using ClearPass internal database for MAC addresses. If the MAC of the device is a known client, the computer connected is allowed to have access. If the MAC is unknown we would like to display the ClearPass captive portal page and allow them to enter thier domain credentials. Once authenicated change the ACL on the port to allow traffic.

     

    I was following the ClearPass wired Policy Enforcement Guide but am stuck. All required ACL's "CLEARPASS-REDIRECT", "default_port_acl" and "ALLOWALL" have been created.

     

    But on the ClearPass side I am unsure of which service should be created to fufill the requested requirements. We would like to not have to create additional VLAN's and just change the ACL once authenticated. 

     

    Any advice is greatly appricated. 

      



  • 2.  RE: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

    EMPLOYEE
    Posted Apr 20, 2018 04:21 PM
    The doc shows the required services and enforcement profiles as well.


  • 3.  RE: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

    Posted Apr 21, 2018 12:22 PM
    Hi Tim,

    First off thank you for creating that guide it has helped greatly.

    I was able to get the MAB section working for known clients. I am now working on the redirect for unknown clients to the portal.

    The page has been created and under the mab service I added an enforcement policy that if the client is unknown to redirect to the newly created web auth service.

    I have to wait till Monday when I’m in the office to see if this works.

    I do have a question although after the web auth completes how do I change the ACL to allowall. We only want the domain user to be sticky for that session with a max time of 2 hours. If the disconnect they must re-authenticate.


  • 4.  RE: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

    Posted Apr 23, 2018 09:39 AM

    Hi Tim,

     

    I just checked when the client is selected as unknown in CP endpoints the user does not get redirected to the Captive Portal Page. 

     

    I have attached screenshots of my setup. If you could assist it would be greatly appreciated.

     

     



  • 5.  RE: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

    Posted Apr 23, 2018 09:43 AM

    I forgot to add the following output from the switch.

     

    CP-Test-Switch#show authentication sessions interface gi1/0/3
    Interface: GigabitEthernet1/0/3
    MAC Address: 0024.1111.1111
    IP Address: Removed
    User-Name: 002411111111 - Changed User-Name
    Status: Authz Success
    Domain: DATA
    Oper host mode: multi-domain
    Oper control dir: both
    Authorized By: Authentication Server
    Vlan Group: N/A
    URL Redirect ACL: CLEARPASS-REDIRECT
    URL Redirect: http://192.168.0.100/guest/CSI_Lan.php - Changed IP Address
    Session timeout: N/A
    Idle timeout: N/A
    Common Session ID: A3EE349B000000360F2DDDF6
    Acct Session ID: 0x00000991
    Handle: 0x79000036



  • 6.  RE: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

    Posted Sep 03, 2018 04:06 PM

    Hi,

     

    You need to add two more enforcement profile  for the unknown client are as below

     

    1) Vlan enforcement for the unknown client.

    2) DACL need to be enforced with DHCP, DNS, HTTP & HTTPS allow access to control access during clearpass captive portal pre-authentication state.

     

    Regards,

    Milind Yashwantrao



  • 7.  RE: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

    Posted Aug 20, 2021 04:15 AM
    Hi Mate,
    Could you please share your Cisco 2960 switch config if you don't mind. I am struggling in redirecting the user to a splash page. Every time i connect one device with Posture Unknown it the status become Unautorized.

    Regards,
    Varun

    ------------------------------
    Varun Sharma
    ------------------------------

    Original Message


  • 8.  RE: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

    Posted Jun 20, 2023 12:13 PM

    Hi, Though this is quite old thread. Any chance, if someone can share the document "

    Guidance with MAB and ClearPass Captive Portal for Wired Connection". thanks


    Original Message


  • 9.  RE: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

    EMPLOYEE
    Posted Jun 20, 2023 07:00 PM

    here is the tech note for wired enforcement 



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message