Security

Reply
Occasional Contributor II

Wired Guest Access

Hello everyone !

 

 

A custumer wants that users do 802.1X authentication on the wired access with clearpass.

 

If the 802.1X authrentication doesn't work ( for a guest user for example), then the user is redirected to the ClearPass captive portal.

 

Can someone please explain to me how can I do that ? 

 

Thank's all for your help !

 

 

 

 

Guru Elite

Re: Wired Guest Access

Did you look at the ClearPass Solution Guide for Wired Policy Enforcement?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor II

Re: Wired Guest Access

Hello !

 

Thank you very much for your reply.

 

I read some parts of it. I found how to do 802.1X with wired access. i found how to do captive portal with the wired access.


But I don't know how the fallback mechanism works : if 802.1X doesn't success, so we perform web auth...

Guru Elite

Re: Wired Guest Access

It’s all on the switch side.

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP

Re: Wired Guest Access

What kind of switches do you use?

 

For Cisco you can do something like this:

interface GigabitEthernet1/0/35
 switchport access vlan 100
 switchport mode access
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 15
 dot1x max-reauth-req 1
 spanning-tree portfast
!

MAB is the key there - as it's mac address bypass - which in essence is mac-auth.. So on failed dot1x it will do mab, and here you will return the attributes from Clearpass which triggers the redirect-acl. Once redirected and authenticated, you use Radius CoA to change the ACL for the client.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I

Re: Wired Guest Access

If you use aruba switches you can send an enforcement profile on authentication failure with the captive portal URL (based on HPE VSA's):

 

Radius:Hewlett-Packard-Enterprise
HPE-Captive-Portal-URL (24)
http://<cppm-server>/guest/<guest-page>.php

 

Be sure to enable captive portal in the switch.

 

Also a couple of downloadable ACL's are required to block all traffic except dns, dhcp and 80/443 to clearpass.

----------------------------------------------------------------------------------------
Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE
Occasional Contributor II

Re: Wired Guest Access

Thank you all for your answer !

 

The custumer have Extreme switches. I looked for documentation but I didn't find anything yet.

Guru Elite

Re: Wired Guest Access

If only there was a doc that covered this step by step ;)

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: