last person joined: 2 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

OS WLAN with MAC Auth Question

  • 1.  OS WLAN with MAC Auth Question

    Posted Apr 17, 2019 03:53 PM


        I am attempting to set up a new SSID with MAC auth against the controller's internal database, as there will only be a handful of devices allowed on this SSID.  I have the WLAN set up on the controller, as well as a MAC auth profile, and a new user profile to be given to these users upon authentication.   The issue I am running into is that the internal database can only be added to at the MM level, but the new role I created is at the managed network level, so I am not able to select that role as the one to be given to the users in the internal db. 


    Hopefully this makes sense, and I am just missing something really minor here that's preventing me from completing this.


    Thanks in advance



  • 2.  RE: OS WLAN with MAC Auth Question

    Posted Apr 17, 2019 04:22 PM

    If your users will only have one role upon successful mac auth, you can just change the default mac authentication role to that role in the AAA profile.

  • 3.  RE: OS WLAN with MAC Auth Question

    Posted Apr 18, 2019 09:27 AM

    Thanks for the reply.   I actually did do that.   The issue is that I am trying to give the users a MAC auth role of "guest-printing", which I created on the controller level.   The internal db, however, can only have users added to it at the MM level, where that new role I created doesn't exist, so the users in the db get handed the role of "guest"


    Hopefully I am explaining this well enough

  • 4.  RE: OS WLAN with MAC Auth Question

    Posted Apr 18, 2019 03:13 PM

    I think I understand.


    Create a new server group and then put the internal database in it.  Make that new server group your mac authentication server group in the AAA profile.


    What is happening to you is that the default and internal server groups have this rule:


     role value-of String set role


    Which means, when users authenticate to that server group, return the role of the user in the internal database, which at the highest level will default to guest when you add users in the local database.  If you authenticate to your new server group, there will be no rule requiring that the role of the user be returned, which means the users who mac authenticate should then take the default mac authentication role.


    I hope that makes sense and works for you.



  • 5.  RE: OS WLAN with MAC Auth Question

    Posted Apr 18, 2019 11:36 PM

    It seems GUI issue to me.

    You can add the MAC address via CLI on MM.


    (MM) [mm] #local-userdb add username 112233aabbcc password 112233aabbcc role guest-printing

  • 6.  RE: OS WLAN with MAC Auth Question

    Posted Apr 19, 2019 08:07 AM

    You can add it, but type "show local-userdb" to see what role it gets.  It will not add a role that is not available at that context.  It will revert to guest.