Wireless Access

Reply
Occasional Contributor I

Clearpass Guest setup

Hi,

 

I am just trying to get to the bottom of an issue we seem to have when we have an event on. We have had a solution installed by a company and everything works to a degree but we still have occasions were clients cannot get connected or struggle to get connected on the guest wifi. I have had a look at numerous elements of the solution. The solution is an Aruba 7200 6.4.4.5 Clearpass is 6.6.3.89660.

So I am just trying to confirm if the process the clients receive is normal.

The web page is a simple email address field and a tick box to except the terms and conditions. Providing the user completes this process the Clearpass creates the authentication and sends it to the Controller and lets the user on. It doesn’t use any of the guest services because the licenses that are used on the Clearpass are the Policy Manager licenses

 

I see allot of 216 and 206 errors on the Clearpass. I m trying to confirm if this is correct or is this unique to the configuration. We cache the MAC for 24 hours and then the user has to go through the process again. I can understand this may be related to the Cache MAC being known but I thought it would have just accepted this as a Known device at this time

 

The Radius Request to the Controller is very simple and seems to be made up of the ESSID and the clients MAC address. Providing the system receives this it allocates the user the public-login role before profiling to public-user. I have attempted to diagnosis the errors but there is so many I figured it may be a configuration thing but just wanted to see if I could identify why this is happening. We have had 14k login requests over the last two days and 12k failed logins. It just seems a little too high in my opinion for known devices. Any help greatly appreciated.

 

Thanks,

Gavin

Re: Clearpass Guest setup

Can you not ask the company who installed it?

 

I'm speculating here.. I would image that the failed authentication attempts could be for MAC addresses from users who have not yet authenticated and therefore fail auth.

 

 


Cheers
James
----------------------------------------------------------------------
--------------------------@whereisjrw--------------------------
---------------------------------blog-------------------------------
ACCX #540 | ACMX #353 | ACDX #216 | AMFX #11
----------------------------------------------------------------------
----------------------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Aruba Employee

Re: Clearpass Guest setup


@SSEAdminwrote:

We have had 14k login requests over the last two days and 12k failed logins. It just seems a little too high in my opinion for known devices. Any help greatly appreciated.


As James mentioned, and I think this statement confirms the suspicion, it is probably the mac-auth mechanism used to provide the 24-hour cache that you mentioned.

 

Basically, when a new device tries to connect for guest wireless access, the initial mac-auth fails, ensuring that they get placed into the captive portal role. So there will be that initial failure seen on ClearPass. Once in the captive portal role, the user completes the web form and is granted access. Now ClearPass will have logged a successful login request.

 

If the same suggessful user returns within 24 hours, the mac-auth sends them directly to the authenticated role, bypassing the web form.

 

If a device/user fails to complete the web form and returns within 24 hours, they still fail mac-auth because there is no successful login cached, and so would should up as another failed login event. It's not unusual to have more devices try to connect to a guest SSID than actually pass through successfully, so your numbers don't seem out of line.

 

To verify this, check Access Tracker on ClearPass and look at the failed events. In particular, not the service that was selected for the event that ended in failure. There should be two services (at a minimum) on ClearPass ... the mac-auth caching service, and the guest portal login. 


Charlie Clemmer
Aruba Customer Engineering
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: