Security

Reply
Super Contributor I

Why to enable MAC authentication on Controller for MAC Caching with ClearPass?

Hello everyone,

 

I have read and tested MAC Caching in ClearPass in order to ClearPass learn the MAC address of clients and to avoid they authenticate every time they connect to a guest network if they were already connected to it. In adittion to create the appropriate service in ClearPass, it is also necessary to enable MAC authentication on the controller, but why? I mean, all the authentication and learning of the MAC address takes place in ClearPass, and regardless of MAC authentication is enabled on the controller, the client MAC address is sent to ClearPass when the user connects to the network within the "Radius:IETF:Calling-Station-Id" field, which is enough for ClearPass to check if the client was before already connected to the guest network or not.

Then, why to enable MAC authentication on the controller for this feature to work? Or what does this feature do in the controller? I have read on the controller guide but there is only explanation of how to enable it and not what does...

 

Regards,

Julián


Regards,
Julián
Guru Elite

Re: Why to enable MAC authentication on Controller for MAC Caching with ClearPass?

MAC caching prevents someone who still has a valid account from getting the captive portal. It's also used for the same purpose with device registration.


The result of the MAC authentication says whether the user should be redirected to a captive portal or sent to their final state.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: Why to enable MAC authentication on Controller for MAC Caching with ClearPass?

Hi Tim,

 

Yes, I know that background I have tested as well. But what I don't understand is why I have to enable MAC authentication on the controller as well? Or in other words, why doesn't MAC caching work if MAC authentication is disabled on the controller?

 

Regards,

Julián


Regards,
Julián
Guru Elite

Re: Why to enable MAC authentication on Controller for MAC Caching with ClearPass?

In order for ClearPass to perform a MAC authentication, the controller must send a MAC authentication request.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Super Contributor I

Re: Why to enable MAC authentication on Controller for MAC Caching with ClearPass?

Thanks, one more question. I have these two rules in my MAC Authentication service:

macauthrules.PNG

 

I understand the second rule, but what does the first rule mean? What's the meaning of the "%{}" operators under the Value column?

 

Regards,

Julián


Regards,
Julián
Guru Elite

Re: Why to enable MAC authentication on Controller for MAC Caching with ClearPass?

The username should be the client's MAC address.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: