Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Instant cluster (IAPs/VC) with guest network with PSK and mac auth, no captive portal

  • 1.  Instant cluster (IAPs/VC) with guest network with PSK and mac auth, no captive portal

    Posted Feb 10, 2015 11:27 PM

    Using IAP, is it possible to have a guest network that uses mac auth, without requiring users to interact with a portal when connecting? The goal here is to replicate the configuration of our old WiFi solution so that users won't have to enter new information into their devices or do anything differently.

     

    WLAN "Secure" clients are assigned to VLAN1. There is a single PSK for this WLAN. This is for company-owned devices.

     

    WLAN "Insecure" clients are assigned to VLAN2. There is a different PSK for this WLAN. This is for BYOD.

     

    In addition to the PSK, each WLAN has a set of MACs that are allowed to associate with it. (It would be okay for Secure clients to access the Insecure WLAN, but it would not be acceptable for Insecure clients to access the Secure WLAN. This needs to be enforced at the MAC level since all employees have access to the PSKs. Yes, I am aware that MAC-based filtering isn't the greatest, but it's what I need to have right now.)

     

    So far I've created MAC-based accounts in the internal AAA server for the Secure clients (defined as type "Employee" in the GUI, "radius" in the CLI) and for the Insecure clients ("Guest"/"radius"). Then I created a WLAN of type "Employee" with MAC auth. This is fine--it only allows the Secure clients to associate.

     

    But when I create a WLAN of type "Guest" for the Insecure clients, I have to choose one of the captive portal options before I can select MAC-auth.

     

    In the CLI it's possible to have the necessary combination of options, e.g.

     

    wlan ssid-profile "Insecure"
    index 1
    type guest
    essid "Insecure"
    wpa-passphrase REDACTED
    opmode wpa2-psk-aes
    max-authentication-failures 0
    vlan 10
    auth-server InternalServer
    rf-band all
    captive-portal disable
    mac-authentication

    [...]

     

    But I haven't tested whether this works. I'm also concerned that the config could be overwritten by the web admin interface.

     

    Any advice? Would it be possible to create a "dummy" external captive portal config?

     

    Failing that, how can I get the best performance in a simple "Acknowledged" captive portal? What I'm seeing right now is just as bad as what I often get in public free WiFi locations--it takes forever for an iOS device to display the splash page with an "Accept" button.

     



  • 2.  RE: Instant cluster (IAPs/VC) with guest network with PSK and mac auth, no captive portal

    Posted Feb 10, 2015 11:37 PM
    You can just use the employee preset instead of guest and it should let you do open with MAC-auth. 


    Thanks, 
    Tim


  • 3.  RE: Instant cluster (IAPs/VC) with guest network with PSK and mac auth, no captive portal

    Posted Feb 11, 2015 08:37 AM
    I don't think that will work for me. If I use the employee preset I do have that option but then accounts marked as guest cannot associate.

    If I go ahead and change those accounts to employee then they will be able to associate with the Secure WLAN, which is not acceptable.


  • 4.  RE: Instant cluster (IAPs/VC) with guest network with PSK and mac auth, no captive portal

    Posted Feb 15, 2015 07:56 AM

    you talk about PSK and MAC auth and then suddenly start about guest accounts and employ accounts.

     

    where do the accounts come from?

     

    the names IAP uses are just names. even for guests you can create a employee "type" network based on PSK and MAC auth. guest "type" probably always adds some form of captive portal.



  • 5.  RE: Instant cluster (IAPs/VC) with guest network with PSK and mac auth, no captive portal

    Posted Feb 17, 2015 06:31 PM

    You're right: the terms we use to classify the two groups of machines don't matter.

     

    What does matter is that both groups need to be authenticated via MAC and PSK AND GroupB can't be allowed to use the same WLAN/VLAN as GroupA even if they get hold of the GroupA PSK.

     

    The simple way to do this is to assign GroupA to an Employee WLAN and GroupB to a Guest WLAN, then set up the corresponding clients as Type Employee and Type Guest within the Internal Server. (In the CLI, the same types are referred to as "radius" and "portal".) Unfortunately, Guest WLAN with MAC/PSK auth always requires some kind of captive portal even if it's just "acknowledge". This conflicts with existing user expectations from our old system and we don't want to deal with potential issues and questions.

     

    If we make GroupB an Employee WLAN and turn the corresponding clients into Type Employee ("radius"), then we can't easily exclude the GroupB clients from WLANA based on MAC.

     

    After speaking to Aruba support I've been given a workaround, which is to use Roles based on MAC address. I'll have to create a role assignment rule for each client in GroupA. Support told me that I can create 512 role-based rules (per cluster? per WLAN? doesn't matter), which will probably be adequate for the time being.

     

    It's a clumsy workaround but barring any performance issues with having dozens of role assignment rules, it looks like it will work.



  • 6.  RE: Instant cluster (IAPs/VC) with guest network with PSK and mac auth, no captive portal

    Posted Feb 26, 2015 01:58 PM

    Well, it turns out that support steered me wrong as only 16 role-assignment rules are allowed per-WLAN.

     

    At this point I'm willing to accept having a captive portal of type "Internal - Acknowledged" but I've found that performance of the captive portal is horrible with Apple devices. This is apparently because Apple devices that encounter captive portals will try to reach any of a number of Apple-controlled websites as part of the process, and when they don't succeed, there's a delay of up to half a minute or more. This is an issue that's described in a few places such as: http://stackoverflow.com/questions/18891706/ios7-and-captive-portals-changes-to-apple-request-url and https://discussions.apple.com/thread/6103468

     

    There's even an Aruba article at https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-1680 but it's outdated and it seems to refer to commands that aren't available in Instant.