Security

Reply
Contributor II

guest cisco wired with mac caching

Hi.

May be you can help me.

I have follow a step by step from this link " https://community.arubanetworks.com/aruba/attachments/aruba/aaa-nac-guest-access-byod/28470/1/Howto%20wired%20Cisco%20MAC%20Caching%20(EN).pdf " for make a cisco wired captive portal, the redirect url work fine, i can open the captive portal, but when i put the credential (user/pass), clearpass puts me back to captive portal role again

 

I have configured two service a web auth and a raidus mac auth,

here are the services, policy and profiles 

web auth service and profiles

web service.JPGimage.png

image.png

image.png

mac auth services and profiles

image.png

image.pngimage.png

image.png

 

access tracker log, 

first mac auth
image.pngweb auth user pass acepted


image.pngCaptive portal enforcement again

image.pngswitch config

aaa new-model
!
!
aaa authentication dot1x default group radius
aaa authorization exec default local group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
!
aaa server radius dynamic-author
client 172.31.237.251 server-key xxxxxxxx
port 3799
auth-type all

 

ip dhcp snooping
ip device tracking

 

dot1x system-auth-control

 

interface FastEthernet0/1
switchport access vlan 102
switchport mode access
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation protect
mab
dot1x pae authenticator
dot1x timeout server-timeout 30
dot1x timeout tx-period 10
dot1x max-req 3
dot1x max-reauth-req 3
spanning-tree portfast

 

ip http server
ip http secure-server

 

 

ip access-list extended ACL-guest
permit udp any any eq domain
deny ip any 10.0.0.0 0.255.255.255
deny ip any host 172.31.236.1
permit ip any any


ip access-list extended cisco-wired-guest-acl
deny tcp any host 172.31.237.251
permit tcp any any

 

radius-server attribute 11 default direction in
radius-server vsa send authentication

 

!
radius server clearpass
address ipv4 172.31.237.251 auth-port 1645 acct-port 1646
key xxxxxxx

Guru Elite

Re: guest cisco wired with mac caching

Did you follow the ClearPass Solution Guide for Wired Policy Enforcement?

Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II

Re: guest cisco wired with mac caching

yes, I followed that document and I do not find what  it is wrong

Guru Elite

Re: guest cisco wired with mac caching

Are you sure you followed the correct doc? The link you posted is not the correct doc.


Tim Cappalli | Aruba Security
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: