Security

Hello all,

 

I have a deployment currently running on 6.5.6 with Wireless Guest on a Cisco WLC 8000 series separated by L3.

 

Mac filter failure to the captive portal sign-in page is great. Users can sign in and browse, no problem. The issue I'm having is on post authentication when applying the Mac caching attributes to update the Mac-Auth Expiry attribute on the endpoint after they've logged in. Long story short, it doesn't update with any attributes, and so Mac caching is not functioning as intended.

 

Access Tracker entries show the end host identifier as an IP address, not a MAC address like I'm used to seeing. The input tab does not show any mac address details for the client endpoint.

 

I'm not sure how to go about updating these attributes. Can I update Mac-Auth Expiry through the post authentication/customize endpoint attributes on the web login page? I'd have to create a field for Mac-Auth Expiry at that point. If that's the way, how would I go about it?

 

Please see attached screenshots for more information. Happy to provide any more information if needed.

 

Thanks,

Tim

Can you please share the output tab from Access Tracker as well?

Hi Victor,

 

I've updated the original post with the screenshot requested.

 

Thank you,

 

Tim

Can you please share how are you redirecting the user to the captive portal page ?

Get Outlook for iOS

Can you please share how are you redirecting the user to the captive portal page ?

Get Outlook for iOS

Mac filtering enabled on the SSID, on MAC filter failure redirect to captive portal web page.

 

Also of note, I do not have administrative access to the WLC. It is owned by another party, and wireless services are provided through a contract setup.

Do you see the client MAC address in the browser when redirected ?

Also take a look at the Input tab > Computed attributes and see if the MAC address shows up.

If not you want to use this :
https:///guest/guest_page.php?mac=%{Connection:Client-Mac-Address-Colon}

Get Outlook for iOS

Do you see the client MAC address in the browser when redirected ?

Also take a look at the Input tab > Computed attributes and see if the MAC address shows up.

If not you want to use this :
https:///guest/guest_page.php?mac=%{Connection:Client-Mac-Address-Colon}

Get Outlook for iOS

Hi Victor,

 

Yes, I do see the mac address in the browser URL when redirected.

 

The client mac address is not present in the input -> computed attributes on the access tracker entry.

 

To clarify on the URL you provided, is that what I should be asking the WLC admin to update on the captive portal redirect URL?

 

Thanks!

 

Tim Friesen

ACCP/ACMP/CWNA/CWSP

If the mac address is showing then no need to make changes on the WLC.

The config looks good.

What version are you running ?

6.5.6

 

Upgrading to 6.6 is on the list, most likely this Spring when busy season dies down.

Please open a case .

The other thing you can try is re-creating that post_auth enforcement profile

Ah yes. Good reminder. I've found in the past some post authentication enforcements didn't work properly in certain instances until I recreated them.

 

I'll give that a shot and if no go will open a case.

 

Thanks for all the help and suggestions Victor.

 

Tim

@timdaemon was the post_auth profile the problem?

I actually haven't had an opportunity to try it yet, been a bit preoccupied with other clients the last few days. I haven't forgotten about it though.

 

I can tell you though that I use the same post_auth profile on the wired guest captive portal side (2920 switches) and it works without issue.

Hi guys,

 

Finally back on site for with a fresh mind for another round, making some headway this time...

 

Not sure if I was asleep or just not paying attention when I initially set it up. I had a RADIUS auth service set for the web login page that handled the request coming from the WLC, but that information did not include any MAC address information with it. I had pre-auth check set to none.

 

Once I configured the pre-auth check for RADIUS and created a new service to handle it I was able to successfully use my post authentication enforcements on the endpoint, changes were reflected properly in the endpoing DB.

 

The other issue that threw me for a loop is my captive portal assistant wasn't behaving properly on my Pixel. It would load the CP, I would log in and it would attempt to post the creds, but fail and then immediately reload the CP page in Chrome where it would then work properly.

 

When I bypassed the CP assistant on the Pixel and just went straight to Chrome, it was successful on the first attempt.

 

MAC caching is also verified functioning correctly.

 

Thanks for the help and sanity checking my config guys. Got 'er beat!

 

Tim Friesen

ACMP/ACCP/CWNA/CWSP