Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass Attributes not getting added to endpoint after going through portal redirect

This thread has been viewed 28 times
  • 1.  ClearPass Attributes not getting added to endpoint after going through portal redirect

    Posted 27 days ago

    Hello,

    Endpoints connecting to the Guest internet on our Cisco WLC are not getting attributes added to the endpoint whenever they authenticate through a Portal we have set up on CPPM. I can manually set the attributes and make it a known endpoint to access the internet from Guest WiFi, but it needs to be done automatically to support our userbase.

    The attributes I wanted added after a user authenticates through the portal are:

    Updating the Endpoint as Known

    Allow-Guest-Internet = true

    AccountEnabled = true

    AccountExpired = false

    Thanks. I imagine there is more information that I will need to provide, I am just not certain exactly what is needed. I am still pretty new to Clearpass.



  • 2.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect

    Posted 27 days ago

    Hi

    Can you provide screenshots of the configuration of the guest authentication services you have configured?

    The attributes should be assigned by enforcement profiles of the type ClearPass Endpoint Update Enforcement that are applied when the guest signs in to the captive portal.

    The two attributes AccountEnabled and AccountExpired are values from the Guest Device Repository.

    In the Service for guest logon you have to have the Guest Device Repository as one of the authentication sources if you would like the guests to be able to register for a guest account and log in. You also need to add [Time Source] as an Authorization source to the service. Otherwise time staps will not be written correctly.

    If you utilize the service template for Guest Authentication with MAC Caching and create the two services, you will also get the enforcement profiles that will write the needed information to the Endpoints Repository, and a role mapping policy utilizing the information in the Guest Device repository.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect

    Posted 27 days ago

    Looks like Guest User & Device Repository is already set as an Authentication Source.

    We have the service for Guest Authentication with MAC Caching as well, with Endpoints Repository and a role mapping policy. Uncertain if the role mapping policy is using Guest Device Repository, so I'll upload a screenshot of that Role Mapping Policy below.




  • 4.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect
    Best Answer

    EMPLOYEE
    Posted 27 days ago

    Your MAC auth service shouldn't be setting any attributes on the endpoint since the MAC auth service is trying to read those attributes.  You need to share the enforcement tab from the Test User Authentication with MAC Caching service.  There should be a condition similar to my screenshot, that includes a policy that tags the attributes.  Need to make sure that the source of the data ([Time Source] when talking about a timestamp) is included as an authorization source.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect

    Posted 23 days ago

    Here is the Enforcement tab of my User Auth with MAC Caching service

    EDIT: I updated the Enforcement Policy in that service to include the Make-Cisco-Guest-Valid profile, that should add the Allow-Guest-Internet = true attribute to endpoints 

    EDIT2: Guest Wireless is now working. It looks like we already had an Enforcement Profile in place with Test User Authentication with MAC Caching Enforcement Policy to update endpoint known and apply the created Attribute, I just overlooked it. It can be found in the Test Guest Profile enforcement profile that is applied to the above stated Service. The real issue I was having seemed to be a mismatch with the SSID I had in both running services to what was actually being broadcast. i.e., COMPANY-GUEST1 vs COMPANY-GUEST, when the latter was the correct SSID that was being broadcasted. I also adjusted the order of the services to where Test User Auth...is first, before Test MAC Authentication.




  • 6.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect

    EMPLOYEE
    Posted 23 days ago

    Good to hear.  User auth before MAC auth in the service list isn't going to make a difference as the service categorization criteria is different.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------