Security

last person joined: 5 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

WatchGuard external hostpot to ClearPass

  • 1.  WatchGuard external hostpot to ClearPass

    Posted Mar 09, 2018 07:25 AM

    For a PoC I'm currently testing the possibility to integrate ClearPass in an existing Watchguard WLAN environment.

    For the guest this doesn't appear to be very simple as the Watchguard expects a certain http POST in order to validate if the user is authenticated.

    https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/authentication/hotspot_external_guest_auth_about_c.html

     

    In the accept string it expects a "sig" that is a calculation:

    A hex encoded string in lower case. It is a SHA1 checksum based on the values of ts, sn, mac, success, sess_timeout, idle_timeout, and the shared secret. The shared secret you use to calculate the hash checksum must match the shared secret configured in the hotspot settings on the Firebox.

    The formula to calculate the checksum value is Hash = SHA1(ts + sn + mac + success + sess-timeout + idle_timeout + shared_secret). The Firebox uses the checksum to validate the integrity of the interaction between the client browser and the external web server.

     

    Anyone an idea on how to create this digest in order to send the HTTP post back?



  • 2.  RE: WatchGuard external hostpot to ClearPass

    Posted Mar 09, 2018 08:58 AM
    This would require development work to support. Please open a feature request.

    One alternative would be to see if the device supports RADIUS dynamic authorization.


  • 3.  RE: WatchGuard external hostpot to ClearPass

    Posted Apr 16, 2018 04:22 AM

    I came up against the same issue. To get around this I have create an 802.1x Wi-Fi network with PEAP, instead of open with captive portal. The network authenticates against the ClearPass guest database. 

     

    The added advantage with this is that the user does not need to open the browser and be redirected, often resulting in a certificate error. Instead when connecting to the network the user is prompted for a username and password for which they use the guest details provided through the ClearPass guest registration. Also means that if the account is there for a while the user does not need to keep re-authenticating.



  • 4.  RE: WatchGuard external hostpot to ClearPass

    Posted May 02, 2018 07:54 AM

    I am confronted with the same situation and would like to use the WatchGuard to redirect to Clearpass Guest.

     

    I have placed an Topic in the Innovation Zone where you can vote for it:

     

     

    https://innovate.arubanetworks.com/ideas/SEC-I-675

     

     



  • 5.  RE: WatchGuard external hostpot to ClearPass

    Posted Jul 16, 2020 05:17 PM

    Hello guys, already passed some time from initial post, could anyone find any way to integrate WatchGuard wireless with Clearpass Guest solution?



  • 6.  RE: WatchGuard external hostpot to ClearPass

    Posted Aug 19, 2020 08:37 AM

    Hello,

    unfortunately not yet.

    it's still (as i know) not possible.

    sorry