Security

Reply
MVP
Posts: 1,392
Registered: ‎11-30-2011

why use pre-auth check?

when creating a new web login on clearpass guest 6.1 (not sure about before) the pre-auth check is enabled by default, is there any good reason to use it when you are doing simple guest access from an Aruba controller?

 

i was a bit dissapointed by the clearpass guest user guide, 6.1 is better then 6.0 which seems to skip the web login all together (only bits and pieces can be found) but both don't explain the use of pre-auth check.

Guru Elite
Posts: 19,961
Registered: ‎03-29-2007

Re: why use pre-auth check?

The way NAS devices like wireless controllers do authentication on external captive portals only allows  standard reject message handling like "authentication failed".  The pre auth check allows CPPM to provide advanced error handling of a reject like "your time limit has been reached" before a user logs in.  It is to do an end run around limited error handing of NAS devices on external captive portals.

 

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: why use pre-auth check?

thanks cjoseph, that makes a lot of sense.

Contributor II
Posts: 56
Registered: ‎04-22-2009

Re: why use pre-auth check?

So now the next question, how does pre-auth check get user on the network?   Is pre-auth and webauth service ordering significant?  I don't see any post-auth actions on pre-auth, so will user have to submit credentials a second time?

 

Agree the documents don't give any explanation as to the use of both services (or just one) to accomplish user auth.

MVP
Posts: 1,392
Registered: ‎11-30-2011

Re: why use pre-auth check?

[ Edited ]

i believe (but not a 100% anymore) that you will see two hits in the access tracker. there used to be a pre-auth service automatically generated with NAS-IP localhost (127.0.0.1), not sure how that goes in in 6.2.

Guru Elite
Posts: 7,836
Registered: ‎09-08-2010

Re: why use pre-auth check?

We see two hits with pre-auth.


Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP
Search Airheads
Showing results for 
Search instead for 
Did you mean: