Security

I'm looking into a strange behavior of a client connected to guest ssid configured as Enhanced Open. Client stays connected to hidden ssid like _owetm_MYGUEST_SSID_mac and never transition to MYGUEST_SSID. If I configure MAC service to use EQUALS for SSID, this client can't connect to the network at all as service categorization is failing. I need to use CONTAINS in the service definition.

I'm wondering if this is because this client maybe does not support Enhanced Open or I have something wrong configured on the controller or ClearPass. Looking into client fingerprint it is Android 10 on mobile phone.

------------------------------
Gorazd Kikelj
------------------------------

When transition mode is enabled, the hidden SSID is the Enhanced Open network. If the client is associating to that ESSID, then it is EO-capable. Your CPPM rule needs to use an ENDS_WITH operator for the ESSID name if you're using transition mode.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Mar 29, 2021 04:33 PM
From: Gorazd Kikelj
Subject: ClearPass MAC authentication and Enhanced Open SSID

I'm looking into a strange behavior of a client connected to guest ssid configured as Enhanced Open. Client stays connected to hidden ssid like _owetm_MYGUEST_SSID_mac and never transition to MYGUEST_SSID. If I configure MAC service to use EQUALS for SSID, this client can't connect to the network at all as service categorization is failing. I need to use CONTAINS in the service definition.

I'm wondering if this is because this client maybe does not support Enhanced Open or I have something wrong configured on the controller or ClearPass. Looking into client fingerprint it is Android 10 on mobile phone.

------------------------------
Gorazd Kikelj
------------------------------

With a central managed AOS10 AP, it seems to also add a random number to the end of the ESSID. So either use Contains, or use a BELONGS_TO list

Original Message:
Sent: Mar 29, 2021 07:17 PM
From: timms
Subject: ClearPass MAC authentication and Enhanced Open SSID

When transition mode is enabled, the hidden SSID is the Enhanced Open network. If the client is associating to that ESSID, then it is EO-capable. Your CPPM rule needs to use an ENDS_WITH operator for the ESSID name if you're using transition mode.

------------------------------
Tim C

Original Message:
Sent: Mar 29, 2021 04:33 PM
From: Gorazd Kikelj
Subject: ClearPass MAC authentication and Enhanced Open SSID

I'm looking into a strange behavior of a client connected to guest ssid configured as Enhanced Open. Client stays connected to hidden ssid like _owetm_MYGUEST_SSID_mac and never transition to MYGUEST_SSID. If I configure MAC service to use EQUALS for SSID, this client can't connect to the network at all as service categorization is failing. I need to use CONTAINS in the service definition.

I'm wondering if this is because this client maybe does not support Enhanced Open or I have something wrong configured on the controller or ClearPass. Looking into client fingerprint it is Android 10 on mobile phone.

------------------------------
Gorazd Kikelj
------------------------------