Security

HI guys.
This is my first post. I am a network techinician ACSP certified and i work for a system integrator in Italy.
I have a very specific question for you all.
Our customer has a Ruckus Wireless infrastructure based on several Access Points managed by a cluster of 2 Virtual Smart Zone controllers.
We set up a GUEST WiFi Network with self-registration handled by Aruba Clearpass.
The self-registration works well, but clients that roams or get disconnected from the WiFi network, are forced to re-login by the captive portal.
It seems that MAC caching is not working well. Even if we de-activate the privacy setting on the smartphones, forcing to use the physical MAC address of the device (default for Android is to use a random-generated MAC Address).
In fact, as you might know, Clearpass normally use 2 services for a GUEST Access:
- first: a Service that allows access to captive-portal logon users;
- second: a MAC authentication Service that shoul authenticate directly the endpoint MAC Address, bypassing the captive-portal login.
Taking a look at the registered user, i noticed that the Endpoint MAC address shown in the Guest User detail page IS NOT the device MAC Address, but the Ruckus Access Point MAC Address.

Original Message:
Sent: 6/29/2022 5:28:00 AM
From: CL92
Subject: Aruba Clearpass Wireless GUEST with Ruckus Access Points - GUEST user endpoint registered with AP MAC Address

HI guys.
This is my first post. I am a network techinician ACSP certified and i work for a system integrator in Italy.
I have a very specific question for you all.
Our customer has a Ruckus Wireless infrastructure based on several Access Points managed by a cluster of 2 Virtual Smart Zone controllers.
We set up a GUEST WiFi Network with self-registration handled by Aruba Clearpass.
The self-registration works well, but clients that roams or get disconnected from the WiFi network, are forced to re-login by the captive portal.
It seems that MAC caching is not working well. Even if we de-activate the privacy setting on the smartphones, forcing to use the physical MAC address of the device (default for Android is to use a random-generated MAC Address).
In fact, as you might know, Clearpass normally use 2 services for a GUEST Access:
- first: a Service that allows access to captive-portal logon users;
- second: a MAC authentication Service that shoul authenticate directly the endpoint MAC Address, bypassing the captive-portal login.
Taking a look at the registered user, i noticed that the Endpoint MAC address shown in the Guest User detail page IS NOT the device MAC Address, but the Ruckus Access Point MAC Address.

When the user login with captive portal registration, the endpoint MAC address is the real MAC of the endpoint:

So, my opinion is that if i activate the Wireless MAC authentication service, it will fails to authenticate "MAC cached" endpoint devices, because the second time the device will try to connect to the GUEST WiFi Network, the endpoint will not be recognized, because its MAC Address is not the same as in the Guest user repository.
Am i right or wrong?
Any idea to solve the issue?
Thank you very much.

Hi matchbear.
Not exactly.
If we set up the device to use the physical MAC address, the MAC address used is always the real MAC address of the device and not a random one.
If client roams directly from an AP to another, there is no problem. If client gets out of an AP coverage area, pass through an area not covered by any AP and then enter another AP coverage area, it is redirected to the captive portal page instead of getting the access immediately.
This is caused by the "GUEST WiFI MAC authentication service" that is unable to authenticate the client only by MAC address because it is not cached, i think and it is not cached because the endpoint MAC registered in the GUEST user repository is the Access Point MAC address and not the device MAC address.
Original Message:
Sent: Jun 30, 2022 09:18 PM
From: BERNHARD HUSTOMO
Subject: Aruba Clearpass Wireless GUEST with Ruckus Access Points - GUEST user endpoint registered with AP MAC Address

so you got two problems now right:

- roaming client , gets disconnected if out of reach , and it doesnt handover properly to the next AP ; or, when reconnecting back, the end-device connects with a different random mac

- endpoint mac registered is the ruckus AP not the real end-device mac

Original Message:
Sent: 6/29/2022 5:28:00 AM
From: CL92
Subject: Aruba Clearpass Wireless GUEST with Ruckus Access Points - GUEST user endpoint registered with AP MAC Address

HI guys.
This is my first post. I am a network techinician ACSP certified and i work for a system integrator in Italy.
I have a very specific question for you all.
Our customer has a Ruckus Wireless infrastructure based on several Access Points managed by a cluster of 2 Virtual Smart Zone controllers.
We set up a GUEST WiFi Network with self-registration handled by Aruba Clearpass.
The self-registration works well, but clients that roams or get disconnected from the WiFi network, are forced to re-login by the captive portal.
It seems that MAC caching is not working well. Even if we de-activate the privacy setting on the smartphones, forcing to use the physical MAC address of the device (default for Android is to use a random-generated MAC Address).
In fact, as you might know, Clearpass normally use 2 services for a GUEST Access:
- first: a Service that allows access to captive-portal logon users;
- second: a MAC authentication Service that shoul authenticate directly the endpoint MAC Address, bypassing the captive-portal login.
Taking a look at the registered user, i noticed that the Endpoint MAC address shown in the Guest User detail page IS NOT the device MAC Address, but the Ruckus Access Point MAC Address.

When the user login with captive portal registration, the endpoint MAC address is the real MAC of the endpoint:

So, my opinion is that if i activate the Wireless MAC authentication service, it will fails to authenticate "MAC cached" endpoint devices, because the second time the device will try to connect to the GUEST WiFi Network, the endpoint will not be recognized, because its MAC Address is not the same as in the Guest user repository.
Am i right or wrong?
Any idea to solve the issue?
Thank you very much.

When you say this:
"If we set up the device to use the physical MAC address, the MAC address used is always the real MAC address of the device and not a random one."

Do you crosscheck the Access Tracker INPUT and what you see at the Guest User Repo ? Are they both having the same Endpoint Category, Endpoint OS Fam, Endpoint Name ?

Coz, once the endpoint reconnects back after traveling thru a so-called blank spot, what we see here is that in Guest it shows SmartDevice, Windows, Windows Mobile, but in Access Tracker, it shows Generic, Generic, Unclassified Device.

So first, I think you'll have to find out why clearpass classifies the two MAC addresses as those.
66:5b:17:35:82:a1 is supposed to be the Android, right ? But MACOUI lookup says it is unknown.
While the 1c3a60 is Ruckus definitely, doesnt matter if it is ETH / BSSID interface, but strangely it is being classified as Windows (which I suppose is the phone itself, right ?)

I suspect in Ruckus you have the option to encapsulate the auth packet so that the radius server (clearpass) only sees the Ruckus ETH/BSSID.
Do packet capture from clearpass first, try to see if there is the phone's MAC address received at the clearpass itself. Either in the RADIUS packet or at the RAW Layer-2 packet itself.

In the end, I would say that clearpass is always the passive device, it sees what it receives and show to us.

Original Message:
Sent: Jul 01, 2022 03:32 AM
From: Costantino Lupato
Subject: Aruba Clearpass Wireless GUEST with Ruckus Access Points - GUEST user endpoint registered with AP MAC Address

Hi matchbear.
Not exactly.
If we set up the device to use the physical MAC address, the MAC address used is always the real MAC address of the device and not a random one.
If client roams directly from an AP to another, there is no problem. If client gets out of an AP coverage area, pass through an area not covered by any AP and then enter another AP coverage area, it is redirected to the captive portal page instead of getting the access immediately.
This is caused by the "GUEST WiFI MAC authentication service" that is unable to authenticate the client only by MAC address because it is not cached, i think and it is not cached because the endpoint MAC registered in the GUEST user repository is the Access Point MAC address and not the device MAC address.
Original Message:
Sent: Jun 30, 2022 09:18 PM
From: BERNHARD HUSTOMO
Subject: Aruba Clearpass Wireless GUEST with Ruckus Access Points - GUEST user endpoint registered with AP MAC Address

so you got two problems now right:

- roaming client , gets disconnected if out of reach , and it doesnt handover properly to the next AP ; or, when reconnecting back, the end-device connects with a different random mac

- endpoint mac registered is the ruckus AP not the real end-device mac

Original Message:
Sent: 6/29/2022 5:28:00 AM
From: CL92
Subject: Aruba Clearpass Wireless GUEST with Ruckus Access Points - GUEST user endpoint registered with AP MAC Address

HI guys.
This is my first post. I am a network techinician ACSP certified and i work for a system integrator in Italy.
I have a very specific question for you all.
Our customer has a Ruckus Wireless infrastructure based on several Access Points managed by a cluster of 2 Virtual Smart Zone controllers.
We set up a GUEST WiFi Network with self-registration handled by Aruba Clearpass.
The self-registration works well, but clients that roams or get disconnected from the WiFi network, are forced to re-login by the captive portal.
It seems that MAC caching is not working well. Even if we de-activate the privacy setting on the smartphones, forcing to use the physical MAC address of the device (default for Android is to use a random-generated MAC Address).
In fact, as you might know, Clearpass normally use 2 services for a GUEST Access:
- first: a Service that allows access to captive-portal logon users;
- second: a MAC authentication Service that shoul authenticate directly the endpoint MAC Address, bypassing the captive-portal login.
Taking a look at the registered user, i noticed that the Endpoint MAC address shown in the Guest User detail page IS NOT the device MAC Address, but the Ruckus Access Point MAC Address.

When the user login with captive portal registration, the endpoint MAC address is the real MAC of the endpoint:

So, my opinion is that if i activate the Wireless MAC authentication service, it will fails to authenticate "MAC cached" endpoint devices, because the second time the device will try to connect to the GUEST WiFi Network, the endpoint will not be recognized, because its MAC Address is not the same as in the Guest user repository.
Am i right or wrong?
Any idea to solve the issue?
Thank you very much.

And, if you have the luxury to lab, maybe you can do simple lab with simpler Ruckus setup, and try other brand as well, such as Cisco or Aruba.
Original Message:
Sent: Jul 01, 2022 03:32 AM
From: Costantino Lupato
Subject: Aruba Clearpass Wireless GUEST with Ruckus Access Points - GUEST user endpoint registered with AP MAC Address

Hi matchbear.
Not exactly.
If we set up the device to use the physical MAC address, the MAC address used is always the real MAC address of the device and not a random one.
If client roams directly from an AP to another, there is no problem. If client gets out of an AP coverage area, pass through an area not covered by any AP and then enter another AP coverage area, it is redirected to the captive portal page instead of getting the access immediately.
This is caused by the "GUEST WiFI MAC authentication service" that is unable to authenticate the client only by MAC address because it is not cached, i think and it is not cached because the endpoint MAC registered in the GUEST user repository is the Access Point MAC address and not the device MAC address.
Original Message:
Sent: Jun 30, 2022 09:18 PM
From: BERNHARD HUSTOMO
Subject: Aruba Clearpass Wireless GUEST with Ruckus Access Points - GUEST user endpoint registered with AP MAC Address

so you got two problems now right:

- roaming client , gets disconnected if out of reach , and it doesnt handover properly to the next AP ; or, when reconnecting back, the end-device connects with a different random mac

- endpoint mac registered is the ruckus AP not the real end-device mac

Original Message:
Sent: 6/29/2022 5:28:00 AM
From: CL92
Subject: Aruba Clearpass Wireless GUEST with Ruckus Access Points - GUEST user endpoint registered with AP MAC Address

HI guys.
This is my first post. I am a network techinician ACSP certified and i work for a system integrator in Italy.
I have a very specific question for you all.
Our customer has a Ruckus Wireless infrastructure based on several Access Points managed by a cluster of 2 Virtual Smart Zone controllers.
We set up a GUEST WiFi Network with self-registration handled by Aruba Clearpass.
The self-registration works well, but clients that roams or get disconnected from the WiFi network, are forced to re-login by the captive portal.
It seems that MAC caching is not working well. Even if we de-activate the privacy setting on the smartphones, forcing to use the physical MAC address of the device (default for Android is to use a random-generated MAC Address).
In fact, as you might know, Clearpass normally use 2 services for a GUEST Access:
- first: a Service that allows access to captive-portal logon users;
- second: a MAC authentication Service that shoul authenticate directly the endpoint MAC Address, bypassing the captive-portal login.
Taking a look at the registered user, i noticed that the Endpoint MAC address shown in the Guest User detail page IS NOT the device MAC Address, but the Ruckus Access Point MAC Address.

When the user login with captive portal registration, the endpoint MAC address is the real MAC of the endpoint:

So, my opinion is that if i activate the Wireless MAC authentication service, it will fails to authenticate "MAC cached" endpoint devices, because the second time the device will try to connect to the GUEST WiFi Network, the endpoint will not be recognized, because its MAC Address is not the same as in the Guest user repository.
Am i right or wrong?
Any idea to solve the issue?
Thank you very much.