Wireless Access

 View Only
last person joined: 2 days ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Expand all | Collapse all

Aruba Central and Clearpass - Cisco Anyconnect Always on

This thread has been viewed 8 times
  • 1.  Aruba Central and Clearpass - Cisco Anyconnect Always on

    Posted Jun 19, 2024 05:06 AM


    I have a new build with an Aruba Central deployment using Clearpass as the Web Portal page to accept Terms and Conditions before being granted internet access. After first login with acceptance of terms, MAC Address authentication applies with no problem. This works without issue.

    I have some Cisco Anyconnect users who have an issue though. It seems that when they attempt to connect to the network they cannot connect - Clearpass has the mac address whitelisted as part of the logon and as an approved device. I think the laptops of concern are attempting to connect straight out to terminate their VPN without allowing the connection to the wifi to complete - unless they set captive portal remediation which apparently they don't have the capability to this.

    Is there anything that can be done that would allow these specific MAC addresses out without the clearpass level - a new hidden SSID locked to MACs on Aruba Central rather than Clearpass that has a completely open connection but provides DHCP?



    Is there any way I can allow devices 

  • 2.  RE: Aruba Central and Clearpass - Cisco Anyconnect Always on

    Posted Jun 20, 2024 12:33 PM

    So they are not able to open a browser and try accessing an external site? This should redirect if you are assigning a captive portal. Is DNS allowed for the client prior to the terms acceptance?

    Dustin Burns

    Lead Mobility Engineer @Worldcom Exchange, Inc.

    ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
    If my post was useful accept solution and/or give kudos

  • 3.  RE: Aruba Central and Clearpass - Cisco Anyconnect Always on

    Posted 27 days ago

    Not sure what is the exact question and what you tried or didn't. Just some ideas or guidance:

    With always-on VPNs, it may be that the client cannot be redirected to the captive portal as the client tries to tunnel all traffic over the VPN, which cannot come up as the user would need to authenticate first to the VPN. You mention captive portal remediation, which sounds like a VPN client feature that detects/allows a captive portal when the VPN is not up (or cannot be established).

    If these are known clients, you could either allow their MAC addresses (for example by attribute in the endpoint database) direct access, bypassing/exempted from the captive portal. This is done by MAC authentication before the captive portal. Note that more and more operating systems move to randomized MAC addresses, making this solution more or less useful. Other option is to allow the VPN traffic through your captive portal (walled garden, pre-auth role), which would remove the need for users that use this VPN to login to the captive portal, under the assumption that all traffic is tunneled through the VPN.

    It may be best to first better understand the problem, than see which of the options is the best in your case.

    Herman Robers
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.