01-18-2013 09:00 AM
Good Afternoon All,
I have a scenario I want to accomplish but I'm not sure how. I did a search to see if anyone else has done it and didn't find anything that was quite right. So here is the scenario:
I want an open network for the handhelds in my warehouse. I want the SSID to use MAC filtering so it will only allow my handhelds to connect. I want it to reject any MAC addresses that are not allowed. After a handheld passes the MAC authentication, I want it to catch the user in a captive portal and require a user name and password.
Right now I've got it setup so my handhelds are automatically MAC authenticated but they bypass the captive portal. And clients that are not MAC authenticated go to the captive portal and when they pass the user name and password they are ok to join the network.
Is there a way to reject all non-mac authenticated users and still make the mac autheicated users still have to login via a captive portal?
Any help is appreciated!
01-18-2013 09:24 AM
I assume you have created the WLAN so you will have to configure at least the following:
-MAC authentication profile (Config - Authentication - L2 Authentication)
-MAC authentication server group (you can use the default)
-Captive portal profile (Config - Authentication - L3 Authentication)
-A user-role (Config - Access Control - User role): Add the logon-control and captiveportal policies to this role and assign the captive portal profile to it.
Find the AAA profile which is used by this virtual AP profile and assign the MAC profiles to it. Choose the created user role as the "MAC Authentication Default Role" in the AAA profile.
Add the MAC addresses to the internal DB:
(this is from user guide)
Navigate to the Configuration > Security > Authentication > Servers page.
Select Internal DB.
Click Add User in the Users section. The user configuration page displays.
For User Name and Password, enter the MAC address for the client. Use the format specified by the Delimiter parameter in the MAC Authentication profile. For example, if the MAC Authentication profile specifies the default delimiter (none), enter MAC addresses in the format xxxxxxxxxxxx.
Click Enabled to activate this entry on creation.
Click Apply to apply the configuration.
After this your network should work as you expected.
You can find detailed step-by-step guide on each section in the user guide.
01-18-2013 10:57 AM
Thank you for the response. I walked through your instructions and that is how I had it setup, however it isn't performing the way I want. I want an allowed MAC to have to authenicate through a captive portal also and I want a disallowed MAC to not be allowed at all. Right now, an allowed MAC is allowed on without accessing the captive portal and a non-allowed MAC is given the captive portal and can logon with a username and password.
I've attached screenshots of the profiles and configurations. I feel like it is just one checkbox or profile setting I'm missing but I'm at a loss to which one.
01-18-2013 11:12 AM
I upgraded to 22.214.171.124 yesterday. I do not have the PEFNG License yet. It is on order though. I ran into something else that needed that license yesterday as well. When the license comes in and it gets installed, I guess I'll revisit this then.
While I'm looking around, do you know where I can see what role is assigned after authentication? I can find the inital role, but I can't seem to find where I can select which role is used after a user is authenticated. I'm pretty out of practice. :)
01-18-2013 11:17 AM
The absence of PEFNG makes this layout I guess.
You may check the user roles that the users got after connection in the Monitoring - Clients or Monitoring - All WLAN Clients in Master - local deployment.
What is the role of the user which MAC address is not in the database before and after the captive portal authentication?
What is the role of the user which MAC address is in the database after authentication?
01-18-2013 11:43 AM
Before logging in: cage-cp_prof
After Logging in: guest
Before logging in: (wasn't ever able to see the inital role however it shows MAC as the auth type where the non-MAC shows Web as the auth type)
After logging in: guest
This is an unrelated question, but I'm trying to remember how you can see which role the controller assigns a user after they have been authenticated. Where do I find that and what is it called?
01-18-2013 11:51 AM
I am not sure I know what you mean by your question.
Re your config.
I am not sure that it will work without PEFNG but it's worth a try:
What you need to do is place the non-MAC users in a "noaccess" role and the MAC users in the cage-cp_prof.
Create a user role which denies every traffic.
Try to modify the MAC entries in the internal DB and set the user role to cage-cp_prof. Set the initial role in the AAA profile to this noaccess role. Make sure the MAC users gets the cage-cp_prof.
With this the MAC users should get the CP, the non-MAC users should be able to connect but can not communicate on the network.
01-21-2013 07:22 AM
Thanks for all your help Zshuveti. I've got the license on order and I'll give this a go when I get it and get it installed. I think a lot of things are going to make a lot of sense as soon as I install the license. I'll likely be back asking more questions here in a few days though :)