Security

when creating a new web login on clearpass guest 6.1 (not sure about before) the pre-auth check is enabled by default, is there any good reason to use it when you are doing simple guest access from an Aruba controller?

i was a bit dissapointed by the clearpass guest user guide, 6.1 is better then 6.0 which seems to skip the web login all together (only bits and pieces can be found) but both don't explain the use of pre-auth check.

The way NAS devices like wireless controllers do authentication on external captive portals only allows  standard reject message handling like "authentication failed".  The pre auth check allows CPPM to provide advanced error handling of a reject like "your time limit has been reached" before a user logs in.  It is to do an end run around limited error handing of NAS devices on external captive portals.

thanks cjoseph, that makes a lot of sense.

So now the next question, how does pre-auth check get user on the network?   Is pre-auth and webauth service ordering significant?  I don't see any post-auth actions on pre-auth, so will user have to submit credentials a second time?

Agree the documents don't give any explanation as to the use of both services (or just one) to accomplish user auth.

i believe (but not a 100% anymore) that you will see two hits in the access tracker. there used to be a pre-auth service automatically generated with NAS-IP localhost (127.0.0.1), not sure how that goes in in 6.2.

We see two hits with pre-auth.