Security

Reply
Occasional Contributor II
Posts: 20
Registered: ‎04-02-2010

How do I do Mac authentication with ClearPass?

[ Edited ]

Hello, I am working this solution now. But I have some problem with Clearpass Guest.

I am using the Mikrotik RouterOS as a DHCP Server with Radius option enable. Client get IP Address from DHCP Server when using FreeRadius with Mac Address as username and without password.

 

When I use Clearpass as radius and create a Mac Address as username, it must be include a "password" following Mac Address.

 

And I try to create a device account on Clearpass Guest only Mac Address as username without password. Any idea fot this?

Guru Elite
Posts: 19,989
Registered: ‎03-29-2007

Re: How do I do Mac authentication with ClearPass?


ansonhsu wrote:

Hello, I am working this solution now. But I have some problem with Clearpass Guest.

I am using the Mikrotik RouterOS as a DHCP Server with Radius option enable. Client get IP Address from DHCP Server when using FreeRadius with Mac Address as username and without password.

 

When I use Clearpass as radius and create a Mac Address as username, it must be include a "password" following Mac Address.

 

And I try to create a device account on Clearpass Guest only Mac Address as username without password. Any idea fot this?


You add the mac address to the endpoints repository:

 

endpoints.PNG

 

After that, you can save a copy of of the Guest MAC authentication service to Mac authenticate users (make sure you replace Guest SSID Name with the name of your SSID):macauth.PNG

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 20
Registered: ‎04-02-2010

Re: How do I do Mac authentication with ClearPass?

Hi cjoseph,

 

Thanks for your reply.

 

The Guest Mac Authentication must have "mac address as username" and "mac address as password" for authentication success.

My problem is how authentication success only via "mac address as username" without password?

Guru Elite
Posts: 19,989
Registered: ‎03-29-2007

Re: How do I do Mac authentication with ClearPass?


ansonhsu wrote:

Hi cjoseph,

 

Thanks for your reply.

 

The Guest Mac Authentication must have "mac address as username" and "mac address as password" for authentication success.

My problem is how authentication success only via "mac address as username" without password?


ansonhsu,

 

If you want have a list that only has mac addresses, you would create a static host list:

 

statichostlist.PNG

 

To check to see if an incoming device is a member of this list:

roles.PNG

 

Let me know if that will work...

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 20
Registered: ‎04-02-2010

Re: How do I do Mac authentication with ClearPass?

Hi cjoseph,

Thanks for your support.

It's work.
But how could I add some radius attribute like "Framed-IP-Address" and "Framed-Netmask" into Static Host Lists "Mac Address" account?
Guru Elite
Posts: 19,989
Registered: ‎03-29-2007

Re: How do I do Mac authentication with ClearPass?

Framed IP address is an IP address, not a Mac address, so you would have to have a list of IP addresses in your list. You probably also would need to have radius accounting enabled to get the IETF:framed IP address parameter to show up.. What are you trying to do?
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 20
Registered: ‎04-02-2010

Re: How do I do Mac authentication with ClearPass?

Hi cjoseph,

 

Let me explain my case.

 

I have a CPPM self-register portal and Clients can regist their device's MAC Address and IP Address in the register form.See Blow,

Self-Register.JPG 

 

Before client get IP Address from DHCP Server, my DHCP server will do "Mac_Auth" with my CPPM.

after authentication successed, CPPM return Radius "Access-Accept" packet include "Framed-IP-Address" attribute to my DHCP Server.

And then my DHCP Server will deliver a "Static IP Address" register from client  to their device.

 

That's what I are trying to do.

 

But I have a problem with Mac_Auth environment now.

 

Because my DHCP server do Mac_Auth to Radius server with "Access-Request" packet format is below,

dhcp_access-request.JPG

 

The Username is "Mac Address" but the Password is ""(blank or empty).

So I always got authentication failed(Access-Reject) from CPPM's Mac_Auth.

 

 

Any idea for this case?

 

Thanks your reply again.:smileyhappy: 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: