Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass Guest w/ Mac Auth with failover to Captive portal w/ mac caching

  • 1.  Clearpass Guest w/ Mac Auth with failover to Captive portal w/ mac caching

    Posted Feb 14, 2017 05:56 PM

    I have a deployment where I am using CPPM guest to connect users through a captive portal (username/password based stored in CPPM guest)

    Controllers are using 6.5.1.2 (I have AP-305s) configured in master-redundancy using HA fast failover w/ state sync

     

    SSIDs are WPA2-PSK

    Default mac auth profile on the AAA profile.

     

    The CPPM services are as follows and in order top-bottom

     

    I have a deployment where I am using CPPM guest to connect users through a captive portal (username/password based stored in CPPM guest)

    Controllers are using 6.5.1.2 (I have AP-305s) configured in master-redundancy using HA fast failover w/ state sync

     

    SSIDs are WPA2-PSK

    Default mac auth profile on the AAA profile.

     

    IT WORKS fine with every device but Apple devices. They don't like the MAC auth and it fails constantly...

     

    I know I am going to need to provide more information but let me know what you need if you guys want to help me out..

     

     



  • 2.  RE: Clearpass Guest w/ Mac Auth with failover to Captive portal w/ mac caching

    Posted Feb 16, 2017 05:01 AM
    Were you going to paste your services into the post? Looks like you copied and pasted some of you post rather than the services.


  • 3.  RE: Clearpass Guest w/ Mac Auth with failover to Captive portal w/ mac caching

    Posted Feb 17, 2017 07:52 AM

    When you say fails - how does this show in Access Tracker? Reject, Timeout, nothing?

    Could it be some 802.11k/r issue?



  • 4.  RE: Clearpass Guest w/ Mac Auth with failover to Captive portal w/ mac caching

    Posted Feb 19, 2017 08:11 AM
    It would show up as a mac Auth fail but Auth trace buff would show only key 1 of the 4 way handshake being sent. Have a case open, waiting on engineering at this point. No 802.11k/r.
    Ended up being basically all devices not just apple.

    Disabling the mac Auth profile on the controller would allow me to enter the psk and get on. It just would not classify the service on cppm anymore. So that's where I am now.

    Waiting on tac