Security

Greetings All!!
This is going to be a bit long, but I feel I need to try and describe what we are doing and trying to do as well as the limitations we currently face with the easiest solution...

A company I work with has many local controllers (25 and growing) and has ClearPass. We (customer and me) have been told by their security team that we cannot have ClearPass open to the internet for an external captive portal. We are trying to figure out a way to use the local controller captive portal abilities to auto submit a login with a user's mac address when they click the accept button on the "terms of use page". We are already doing MAB for a few OUIs with ClearPass and I was thinking we could potentialy setup a web login service to have the local captive portal authenticate against. This is what I'm trying to accomplish, and there may be other ways to do it or other solutions. 

1. Device connects to local guest network

2. Device hits MAC auth serivce on clearpass. 

3. If device passes MAB, allow access.

4. If device fails MAB check , give local captive portal role for devcice to click "I accept the terms"

5. Auto submit user's mac address, (similar to mac auth) to clearpass as username for web login service and give the endpoint a date/time stamp attrib for mac cache bypass.

6. Give device access, caching results for future auth in next X days.

Limitations...

No VPN or GRE tunnels to ClearPass. Not scaleable. 

No public ClearPass CP. That would be too easy. :-/

I have it working up to the 4 step. I can send a user to the local captive portal and when they click accept, they get access with the default user role. Unfortunately, I never see this in ClearPass as their is no "user login" in the local captive portal. This means no user caching so they hit the local captive portal every time they connect. 

Is there a way, using hidden HTML code, to auto login a user with their mac address, when they click "I Accept"? Or any other ways you can creatively think to do this?

Thank you so much for taking the time to read my long post and considering a reply!

Hmm, so that is with a captive portal in Clearpass. Currently the guest users are put on a vlan that does not have access to the internal network. The guest user does not have a way to hit a clearpass login page. No vpn/gre tunnel and no public clearpass server. I think I am stuck and need to argue with their security team, but need to exhast all options first. 

Create a guest user in ClearPass manually

Set the captive portal server group to ClearPass

Upload a custom captive portal page with the anonymous user account credentials hidden with a submit button

Now that is a good idea! Then I would see the anonymouse login and accepts the username and password but could use the rest of the auth to get the connection details, like the mac address and add an attribute to cache them for the MAB on the next connect. :D

OK, so now to figure out how to create the custom login page with the user auto filled in and hidden so they only have to click Accept. Do you have a nice link for that? 

Found this and I'm trying to modify it. Just to let others know. 

The silly auto login part is getting me at the moment. 

http://community.arubanetworks.com/t5/Security/Internal-Captive-Portal-with-automatic-guest-auth-and-redirect/td-p/131299

I finally got this working with hidden user and password fields so it is submitted when they click on the button. This authenticates to a logon service in ClearPass with the hidden user and password allowing us to grab the mac address and add an attribute to the endpoint for a mac auth expiry. One click and you are on and good for a week. I have tried to include what we used on the controllers. Should be able to uncomment it and save it as an HTML file.

<!--

<! -- Acceptable Use Captive portal HTML info -->
<html>
<title> Guest Wireless Acceptable Use Policy</title>
<style>
body {
background: #000000;
color: white;
font-family: verdana, arial, helvetica, sans-serif;
font-size: 12px;
font-weight: normal;
margin: 10;
padding: 10;
}
</style>
<body>
<h1 align="center"> Enterprise<br/> Guest Wireless</br>Acceptable Use Policy</h1>
<p>
This Policy is a guide to the acceptable use of the Enterprises Guest Wireless network facilities and services.
<br/><br/>
Any individual connected to the Guest Wireless network in order to use it directly or to connect to any other network(s), must comply with this policy,
the stated purposes and Acceptable Use policies of any other network(s) or host(s) used, and all applicable laws, rules, and regulations.
<br/><br/>
ENTERPRISES MAKES NO REPRESENTATIONS OR WARRANTIES CONCERNING THE AVAILABILITY OR SECURITY OF THE Guest WIRELESS
NETWORK, AND ALL USE IS PROVIDED ON AN AS-IS BASIS. BY USING THE Guest WIRELESS NETWORK YOU AGREE TO DEFEND, INDEMNIFY,
AND HOLD HARMLESS ENTERPRISES FOR ANY LOSSES OR DAMAGES THAT MAY RESULT FROM YOUR USE OF THE Guest WIRELESS NETWORK.
<br/><br/>
Enterprises takes no responsibility and assumes no liability for any content uploaded, shared, transmitted, or downloaded by you or any third party,
or for anything you may encounter or any data that may be lost or compromised while connected to the Guest Wireless Network.
<br/><br/>
Enterprises reserves the right to disconnect any user at any time and for any reason. The Guest Wireless Network is provided as a courtesy to allow
our guests and Guest access to the internet. Users will not be given access to the Enterprises intranet or permission to install any software on our computers.
<br/><br/>
Inappropriate use of the Guest Wireless Network is not permitted. This policy does not enumerate all possible inappropriate uses but rather presents
some guidelines (listed below) that Enterprises may at any time use to make a determination that a particular use is inappropriate:
</p>
<ul>
<li>Users must respect the privacy and intellectual property rights of others.</li>
<li>Users must respect the integrity of our network and any other public or private computing and network systems.</li>
<li>Use of the Guest Wireless Network for malicious, fraudulent, or misrepresentative purposes is prohibited.</li>
<li>The Guest Wireless Network may not be used in a manner that precludes or hampers other users access to the Guest Wireless Network or any other networks.</li>
<li>Nothing may be installed or used that modifies, disrupts, or interferes in any way with service for any user, host, or network.</li>
</ul>
<br><br>
<div align="center">
<b>CLICK ON THE BUTTON BELOW TO ACCEPT THE Guest WIRELESS POLICY TERMS.</b></font></div>
<div align="center">
<br>
<form action="/auth/index.html/u" id="regform" method="post" autocomplete="off" title="Form used by registered users to login">

<div id="usernamebox">
<input type = "hidden" type="text" name="user" id="user" size="25" class="text" accesskey="u" value="_driver"/>
</div>

<div id="passwordbox">
<input id="password" name="password" type="hidden" type="password" size="25" class="text" accesskey="p" value="_driver"/>
</div>

<div id="fqdnbox" style="display: none"></div>

<input type="hidden" name="cmd" value="authenticate" />
<input type="submit" name="Login" value="I accept and agree to the above listed terms." class="button" />
<p>Clicking the above button indicates you have read and accept the Guest Wireless Acceptable Use Policy.</p>

</form>
</div>
</body>

-->