Security

Reply
Occasional Contributor II
Posts: 19
Registered: ‎02-15-2014

MAC authentication vs Web authentication

Hi,

 

I have a 7210 (version 6.3) controller for which I have an external Captive Portal integrated.

 

I have external MAC caching functional via the external CP server.

 

MAC cache is working fine for "known" addresses in the mac cache, however, when MAC cache is not known I have the CP configured to have clients to post the registered username/password credentials to the configured radius auth server group. Problem I note is that there are no radius messages being sent with the username/password credentials and the subsequently I cannot perform web auth method.

 

After various tries I noted that MAC authentication is always being triggered when MAC address is known, but web authentication is not happening when I submit credentials on the CP page.

 

I am able to verify that the dst-nat action for the controller internal CP for the https post is being hit (via show acl hits). I am also able to verify from radius controlpath packet sniffs that there were no radius messages resulting from the client login form post.

 

Why is the web authentication not happening (ie. radius auth not sent) when client submits the login post?

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: MAC authentication vs Web authentication

Do you have a second service for the web authentication in ClearPass?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 4,309
Registered: ‎07-20-2011

Re: MAC authentication vs Web authentication

Hows your page configured? To do a AppAuth , Radius ?
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Occasional Contributor II
Posts: 19
Registered: ‎02-15-2014

Re: MAC authentication vs Web authentication

Hi cappali,

 

No I do not have Clearpass available.

 

Please advise why a second service for web auth would be required with Clearpass. 

 

BR,

 

 

Guru Elite
Posts: 8,792
Registered: ‎09-08-2010

Re: MAC authentication vs Web authentication

1 service is required to process the mac-authentication and another service is required for the captive portal / web authentication.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: MAC authentication vs Web authentication

If I understand you correctly, you want to do MAC authentication; but if that fails have the user enter credentals on the Captive Portal page.  You claim you have MAC authentication working but webauth is not working when users enter credentials.   Can you verify you have defined your RADIUS server group as the authentication source under your Captive Portal Profile?

 

aos-cp-rad-group.png

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 19
Registered: ‎02-15-2014

Re: MAC authentication vs Web authentication

Hi victorfabian,

 

Please elaborate on your query - do you mean my CP server page?

 

BR,

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: MAC authentication vs Web authentication

Also, did you make sure the credential post is configured properly within the HTML of your external page:

 

http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-create-a-custom-Captive-Portal-for-public-access/ta-p/177854.

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Aruba
Posts: 1,644
Registered: ‎04-13-2009

Re: MAC authentication vs Web authentication

FYI; I think there is confusion around CP in your setup.

 

Captive Portal

or

ClearPass

 

I think you said you don't have ClearPass, but are using and external captive portal page.   Please see my suggestion abo e.

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 19
Registered: ‎02-15-2014

Re: MAC authentication vs Web authentication

Hi cappalli,

 

Please explain what you mean by "service" ? This term is not familiar in the Mobility Bootcamp Training perhaps this is CPPM jargon (of which I do not have much exposure).

 

I would like the MAC cache check to be done first and in case of failure there have the user-login process via the CP applied.

 

Will I be able to get this done without Clearpass?

 

Very much appreciate your feedback and insights!

 

BR,

 

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: