Security

Reply
New Contributor

Guidance with MAB and ClearPass Captive Portal for Wired Connection.

Hello All, 

 

As the subject says I would like some guidance setting up ClearPass to be used with our Cisco switches. The goal is to use MAB using ClearPass internal database for MAC addresses. If the MAC of the device is a known client, the computer connected is allowed to have access. If the MAC is unknown we would like to display the ClearPass captive portal page and allow them to enter thier domain credentials. Once authenicated change the ACL on the port to allow traffic.

 

I was following the ClearPass wired Policy Enforcement Guide but am stuck. All required ACL's "CLEARPASS-REDIRECT", "default_port_acl" and "ALLOWALL" have been created.

 

But on the ClearPass side I am unsure of which service should be created to fufill the requested requirements. We would like to not have to create additional VLAN's and just change the ACL once authenticated. 

 

Any advice is greatly appricated. 

  

Guru Elite

Re: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

The doc shows the required services and enforcement profiles as well.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

Hi Tim,

First off thank you for creating that guide it has helped greatly.

I was able to get the MAB section working for known clients. I am now working on the redirect for unknown clients to the portal.

The page has been created and under the mab service I added an enforcement policy that if the client is unknown to redirect to the newly created web auth service.

I have to wait till Monday when I’m in the office to see if this works.

I do have a question although after the web auth completes how do I change the ACL to allowall. We only want the domain user to be sticky for that session with a max time of 2 hours. If the disconnect they must re-authenticate.
New Contributor

Re: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

Hi Tim,

 

I just checked when the client is selected as unknown in CP endpoints the user does not get redirected to the Captive Portal Page. 

 

I have attached screenshots of my setup. If you could assist it would be greatly appreciated.

 

 

New Contributor

Re: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

I forgot to add the following output from the switch.

 

CP-Test-Switch#show authentication sessions interface gi1/0/3
Interface: GigabitEthernet1/0/3
MAC Address: 0024.1111.1111
IP Address: Removed
User-Name: 002411111111 - Changed User-Name
Status: Authz Success
Domain: DATA
Oper host mode: multi-domain
Oper control dir: both
Authorized By: Authentication Server
Vlan Group: N/A
URL Redirect ACL: CLEARPASS-REDIRECT
URL Redirect: http://192.168.0.100/guest/CSI_Lan.php - Changed IP Address
Session timeout: N/A
Idle timeout: N/A
Common Session ID: A3EE349B000000360F2DDDF6
Acct Session ID: 0x00000991
Handle: 0x79000036

New Contributor

Re: Guidance with MAB and ClearPass Captive Portal for Wired Connection.

Hi,

 

You need to add two more enforcement profile  for the unknown client are as below

 

1) Vlan enforcement for the unknown client.

2) DACL need to be enforced with DHCP, DNS, HTTP & HTTPS allow access to control access during clearpass captive portal pre-authentication state.

 

Regards,

Milind Yashwantrao

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: