Security

Reply
Contributor I

WatchGuard external hostpot to ClearPass

For a PoC I'm currently testing the possibility to integrate ClearPass in an existing Watchguard WLAN environment.

For the guest this doesn't appear to be very simple as the Watchguard expects a certain http POST in order to validate if the user is authenticated.

https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/authentication/hotspot_external_guest_auth_about_c.html

 

In the accept string it expects a "sig" that is a calculation:

A hex encoded string in lower case. It is a SHA1 checksum based on the values of ts, sn, mac, success, sess_timeout, idle_timeout, and the shared secret. The shared secret you use to calculate the hash checksum must match the shared secret configured in the hotspot settings on the Firebox.

The formula to calculate the checksum value is Hash = SHA1(ts + sn + mac + success + sess-timeout + idle_timeout + shared_secret). The Firebox uses the checksum to validate the integrity of the interaction between the client browser and the external web server.

 

Anyone an idea on how to create this digest in order to send the HTTP post back?

Guru Elite

Re: WatchGuard external hostpot to ClearPass

This would require development work to support. Please open a feature request.

One alternative would be to see if the device supports RADIUS dynamic authorization.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
New Contributor

Re: WatchGuard external hostpot to ClearPass

I came up against the same issue. To get around this I have create an 802.1x Wi-Fi network with PEAP, instead of open with captive portal. The network authenticates against the ClearPass guest database. 

 

The added advantage with this is that the user does not need to open the browser and be redirected, often resulting in a certificate error. Instead when connecting to the network the user is prompted for a username and password for which they use the guest details provided through the ClearPass guest registration. Also means that if the account is there for a while the user does not need to keep re-authenticating.

New Contributor

Re: WatchGuard external hostpot to ClearPass

I am confronted with the same situation and would like to use the WatchGuard to redirect to Clearpass Guest.

 

I have placed an Topic in the Innovation Zone where you can vote for it:

 

 

https://innovate.arubanetworks.com/ideas/SEC-I-675

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: