Security

Reply
Occasional Contributor II
Posts: 14
Registered: ‎08-03-2009

Keep guest users authenticated with IAP+ClearPass

Dear Community,

 

 I need to use IAP205 APs with ClearPass. I have a guest SSID where the ClearPass provides the external Captive Portal. I can see that the guest users needs to authenticate on the Captive Portal every time when they connect to the SSID. I try to configure that once a client successfully authenticate on the Captive Portal the next few hours there won't be need to reauthenticate with the same device. How can I configure this?

 

Thanks a lot!

 

Best Regards,
Gabor

Guru Elite
Posts: 8,188
Registered: ‎09-08-2010

Re: Keep guest users authenticated with IAP+ClearPass

There is a MAC caching service template in ClearPass.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: Keep guest users authenticated with IAP+ClearPass

[ Edited ]

Hi,


if i would like to authenticate with my domain username and password on Captive Portal with Guest MAC Cache service, how change my service settings?

 

I added my AD auth source to the MAC cache service (Radius Enforcement Generic), but it's not work for me. I got a reject, when the mac auth is in progress.

 

I can see the following error in Request Details Alert tab:
"Failed to get value for attributes=[UserName]"

 

Regards,
Balazs

Thanks,
Balazs
Guru Elite
Posts: 8,188
Registered: ‎09-08-2010

Re: Keep guest users authenticated with IAP+ClearPass

You need to add AD to the web login service, not the MAC cache service.


Thanks,
Tim

Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: Keep guest users authenticated with IAP+ClearPass

Hi Tim,

 

we have two services in ClearPass Tips:

services.png

I added my AD to Authentication Source to User Authentication with MAC. If I connect to my SSID, the Captive Portal page displayed. I logged in my domain username and password, the connection was ACCEPT.

 

If I disconnected my device, and i connect again my SSID, I got a REJECT from MAC Authentication service. The following error is:

alert.png

 

Thanks,

Balazs

Thanks,
Balazs
Guru Elite
Posts: 8,188
Registered: ‎09-08-2010

Re: Keep guest users authenticated with IAP+ClearPass

You shouldn't have MAC-authentication in your web login service.

 

Can you try setting this up with the service template instead?


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Contributor I
Posts: 34
Registered: ‎03-19-2015

Re: Keep guest users authenticated with IAP+ClearPass

[ Edited ]

Hi Tim,

 

I resolved the issue. I can use my userAccountStatus attribute than Guest Role ID.
The MAC service can find this value, what contains every standard user account.
This value is constant 512. And I modified the [Employee] Post Authentication Role, and I use this value.

 

Thanks,

Balazs

Thanks,
Balazs
Search Airheads
Showing results for 
Search instead for 
Did you mean: