How to return username MAC auth

last person joined: 10 hours ago

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).

Back to discussions

Expand all | Collapse all

How to return username MAC auth

This thread has been viewed 30 times

1. How to return username MAC auth

6 Kudos
EMPLOYEE

tarnold
Posted Feb 08, 2014 02:03 AM

Reply Reply Privately
I know there has bee a lot of questions on how to return the username instead of the mac address with Clearpass Guest and MAC caching so I thought I would post a quick how to on the policy manager side.

Couple notes:

1. Remember you will still need to set up the controller and captive portal in CPGuest
2. You must have insight enabled.
3. You must have Endpoint Repository as an authorization source.

As of ClearPass 6.x and AOS 6.2, when doing MAC caching, you can return the username tied to the MAC address instead of the MAC address to the controller.

1. You start by creating a Guest Mac auth service with start here or service templates(Pre 6.3).

2. This is what the basic enforcement will look like..

3. Create a new RADIUS Enforcement Profile in CPPM. Set the return attributes below:

Radius:IETF User-Name=%{Endpoint:Username}.

4. In your Enforcement Policy, include the above Enforcement Profile. Make sure to include a check for Endpoint:Username Exists.

ONe other side note is that you can use the same concept to return the username of the person who registered a device with MACTRAC. Here is an example of where I send back the name of the user that registered an apple TV.

Radius:IETF User-Name=%{Endpoint:Sponsor name}.
2. RE: How to return username MAC auth

0 Kudos
EMPLOYEE

Michael_Clarke
Posted Feb 08, 2014 08:04 AM

Reply Reply Privately
This doesn't work with Instant APs though.

Please vote for my feature request here https://arubanetworkskb.secure.force.com/prm/ideas/viewIdea.apexp?id=08740000000LEbJ
3. RE: How to return username MAC auth

0 Kudos
arjan_k
Posted Feb 08, 2014 10:32 AM

Reply Reply Privately
Thanks for sharing! Instant indeed doesn't do anything with the User-Name attribute with MAC authentication. Same goes for Cisco WLC and lot of other vendors.
4. RE: How to return username MAC auth

0 Kudos
EMPLOYEE

tarnold
Posted Feb 09, 2014 02:05 AM

Reply Reply Privately
Correct this setup is for Aruba Controller and Aruba MAS switches. It does come in handy when you are looking at the devices in Airwave for trouble shooting.

For example in my lab. I return

Sponsor Name for MACTRAC/Airgroup devices
Username for Guests
Static attribute "Aruba AP" for my wired Access Points
5. RE: How to return username MAC auth

0 Kudos
boneyard
Posted Mar 01, 2014 11:33 AM

Reply Reply Privately
is profiling needed for the MAC cache part only? or does it have a relation to the setting of username?
6. RE: How to return username MAC auth

0 Kudos
EMPLOYEE

cappalli
Posted Mar 01, 2014 11:34 AM

Reply Reply Privately
Returning the username is only dependent on there being a username or sponsor account tied to the endpoint device or guest device.
7. RE: How to return username MAC auth

0 Kudos
Folke
Posted Mar 13, 2015 09:44 AM

Reply Reply Privately
Info:

Starting with Instant 6.4.2-4.1.1.1 this seems to work!

Just Reply "User-Name" with your Accept-Response!

Also the first Accounting (Acct-Status-Type = Start) comes back with the new username, the IAP Webpage also shows immediately the correct username.

Kind Regards
Folke
8. RE: How to return username MAC auth

0 Kudos
EMPLOYEE

chulcher
Posted Oct 04, 2017 10:01 PM

Reply Reply Privately
As of some point (I'm working on a 6.6.8 machine now) the correct way to return the Sponsor Name from Device Registration is:

%{Authorization:[Guest Device Repository]:SponsorName}