Security

Reply
Aruba

How to return username MAC auth

I know there has bee a lot of questions on how to return the username instead of the mac address with Clearpass Guest and MAC caching so I thought I would post a quick how to on the policy manager side.

 

Couple notes:

 

1. Remember you will still need to set up the controller and captive portal in CPGuest

2. You must have insight enabled.

3. You must have Endpoint Repository as an authorization source. 

 

returnusername.gif

As of ClearPass 6.x and AOS 6.2, when doing MAC caching, you can return the username tied to the MAC address instead of the MAC address to the controller.

 

1. You start by creating a Guest Mac auth service with start here or service templates(Pre 6.3).

 

 

 

 

 

 

2. This is what the basic enforcement will look like..

 

 

screenshot_11 Feb. 08 00.46.gif

3. Create a new RADIUS Enforcement Profile in CPPM. Set the return attributes below:

 

Radius:IETF User-Name=%{Endpoint:Username}.

 

 


4. In your Enforcement Policy, include the above Enforcement Profile. Make sure to include a check for Endpoint:Username Exists.

 

 

 

 

ONe other side note is that you can use the same concept to return the username of the person who registered a device with MACTRAC.  Here is an example of where I send back the name of the user that registered an apple TV.

 

Radius:IETF User-Name=%{Endpoint:Sponsor name}.

 

 


 


 

screenshot_12 Feb. 08 00.56.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

Re: How to return username MAC auth

This doesn't work with Instant APs though.

 

Please vote for my feature request here https://arubanetworkskb.secure.force.com/prm/ideas/viewIdea.apexp?id=08740000000LEbJ


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com

Re: How to return username MAC auth

Thanks for sharing! Instant indeed doesn't do anything with the User-Name attribute with MAC authentication. Same goes for Cisco WLC and lot of other vendors.


ACMX#255 | ACDX#742 | ACCX#746 | AMFX#25 | ACMP | ACCP | AWMP
www.securelink.nl
Aruba

Re: How to return username MAC auth

Correct this setup is for Aruba Controller and Aruba MAS switches. It does come in handy when you are looking at the devices in Airwave for trouble shooting. 

 

For example in my lab. I return

 

Sponsor Name for MACTRAC/Airgroup devices

Username for Guests

Static attribute "Aruba AP" for my wired Access Points

 

screenshot_01 Feb. 09 01.00.gif

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.

Re: How to return username MAC auth

is profiling needed for the MAC cache part only? or does it have a relation to the setting of username?

Guru Elite

Re: How to return username MAC auth

Returning the username is only dependent on there being a username or sponsor account tied to the endpoint device or guest device.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I

Re: How to return username MAC auth

Info:

 

Starting with Instant 6.4.2-4.1.1.1 this seems to work!

 

Just Reply "User-Name" with your Accept-Response!

 

Also the first Accounting (Acct-Status-Type = Start) comes back with the new username, the IAP Webpage also shows immediately the correct username.

 

Kind Regards

Folke

Occasional Contributor II

Re: How to return username MAC auth

As of some point (I'm working on a 6.6.8 machine now) the correct way to return the Sponsor Name from Device Registration is:

 

%{Authorization:[Guest Device Repository]:SponsorName}

Carson Hulcher
@carson_hulcher | ACDX 512 | ACCX 583 | ACMP

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: