Security

Reply
Contributor II
Posts: 51
Registered: ‎04-13-2009

MAC Authentication with Captive Portal fail through

I have a lab set up with ClearPass 6.1 and AOS 6.2.  I am working on a configuration that redirects guest users to a captive portal, and authenticates them against a local guest user database - I set up an account with unlimited use and no expiration.  I am also authenticating employees against an AD database.  I have two SSIDs: employee and guest.  This all seems to work fine.

 

What I want to be able to do is first try to MAC authenticate guest users when they connect, and then pass them through to the guest captive portal if MAC auth fails (i.e. they haven't connected in some period of time, say, 8 hours).

 

I would also like to be able to do something similar with employees connecting to the employee SSID if possible, except employees would be redirected to the AD server for authentication if MAC authentication fails.

 

I have been trying to lcoate suitable reference materials for this scneario, but have been unsuccessful.  Any reference material, examples, guides, or guidance would be greatly appreciated.

 

Regards,

DAK

Regards,
DAK
MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: MAC Authentication with Captive Portal fail through

[ Edited ]

a good info regarding how to add the mac of the user while he is logged in (the guest itself) - u may find here:

On The ClearPass Guest Side, go to Customization> Guest Self Registration> Edit.

Below Register Page, Click on Form.  You will be adding two fields to the form, mac, and mac_auth_pair

 

Click anywhere in the form and click on Insert After.  Select, mac for the field you want to enter and fill out the field like below.  Rank fills itself out, so you do not have to.mac.PNG

 

When you save that, insert another field "mac_auth_pair" with the parameters below:  Save and get out of registration.  You should be able to go through self-registration with a new user and not only will a user show up under Guests> List accounts, but the mac address of the device that they registered (a paired account) should also show up under Guests> List Devices.  Let us know if that is working first.

 

mac-auth-pair.PNG

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Guest-accounts-lifetime-expiry-time-still-can-t-make-it-work/td-p/84554

 

 

now under - your AAA profile of the guest network on the controller - you should enable mac auth on the same profile:

 

 

Untitled.png

 

So now (after enabling the mac auth and adding the right fields to the  guest register page)  - each client the connected to the SSID -will do a mac auth in front of the CPPM devices db ...if it's there (because it's already registered - it will not see captive - if it's new it will need to register)

 

just be sure in the mac aut profile in the aruba to the inputs of the macs your cppm getting (just watch your access tracker and fit it until u getting the right result)

Capture2.PNG

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Contributor II
Posts: 51
Registered: ‎04-13-2009

Re: MAC Authentication with Captive Portal fail through

Thank you, kdisc98.  This seems like a lot of gyrations just to tell CPPM that if it sees a guest device reconnecting to the network within a certain period of time, reauthorize it and skip the captive portal.  I can see this use case happening often in situations where guest user devices go to sleep, or get put on standby.

 

Can MAC authentication be used similarly for a .1x Radius-secured network?  Would there even be a use case for that?  Like an employee who puts their laptop to sleep while at lunch?  Or a company executive who puts their tablet computer in standby mode for several hours?

 

Regards,
DAK
MVP
Posts: 4,268
Registered: ‎07-20-2011

Re: MAC Authentication with Captive Portal fail through

 

You can enable MAC CACHING and set it for certain amount time (Like 8 Hours) so the user doesn't have to reauth during that time.

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 51
Registered: ‎04-13-2009

Re: MAC Authentication with Captive Portal fail through

Thank you, Victor.  That seems more straight forward and easier to implement.  Do you know of any good configuration examples of that?

Regards,
DAK
MVP
Posts: 4,268
Registered: ‎07-20-2011

Re: MAC Authentication with Captive Portal fail through

 

I have attached a doc that should help with that.

 

 

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Contributor II
Posts: 51
Registered: ‎04-13-2009

Re: MAC Authentication with Captive Portal fail through

Thank you, Victor and kdisc98.  I appear to have been able to get this working two different ways.  One way involed using the L2 Authentication > MAC Authentication that is available in AOS 6.2 - this feature does not appear to be in version 6.1.  This allows you to enable reauthentication and set the reauthentication interval.  The second method involved disabling reauthentication on the controller and using the Guest MAC Authentication Service Template built into ClearPass instead.  This creates two services: Guest MAC Authentication and Guest Access with MAC Caching.  If you adjust the timer in the MAC Authentication Enforcement policy to suit your needs, you can force ClearPass to hit the captive portal, reauthenticate the user, and cache the MAC address.

 

 

 

Regards,
DAK
MVP
Posts: 1,408
Registered: ‎05-28-2008

Re: MAC Authentication with Captive Portal fail through

Good to know that u figure it out,and configured it like u want.

 

Thanks for updating us.

 

have a gr8 day.

 

Me.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Frequent Contributor II
Posts: 102
Registered: ‎03-18-2013

Re: MAC Authentication with Captive Portal fail through

Hi, sorry i had to bump this old thread. i'm currently configuring this kind of services on CPPM 6.2.3.

i'm having trouble to configure how MAC caching in CPPM works. all i can find is to create a new service from the service template and, from the template, the minimum mac caching time i can find is no less than 1 day. can you tell me how do you set mac caching for 8 hours?

 

or even better if you have a documentation how to manually edit mac caching in cppm beside creating fresh from service template.

 

thanks.

 

R.L.

Ricky E. Lee
CWNA | ACMP | ACCP
Aruba
Posts: 1,542
Registered: ‎06-12-2012

Re: MAC Authentication with Captive Portal fail through

If you use the service template all you need to do is modify the enforcement profile and change it from days to hours.

 

guestmacmin.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
Showing results for 
Search instead for 
Did you mean: