Security

 View Only
  • 1.  ClearPass Attributes not getting added to endpoint after going through portal redirect

    Posted Mar 28, 2024 11:09 AM

    Hello,

    Endpoints connecting to the Guest internet on our Cisco WLC are not getting attributes added to the endpoint whenever they authenticate through a Portal we have set up on CPPM. I can manually set the attributes and make it a known endpoint to access the internet from Guest WiFi, but it needs to be done automatically to support our userbase.

    The attributes I wanted added after a user authenticates through the portal are:

    Updating the Endpoint as Known

    Allow-Guest-Internet = true

    AccountEnabled = true

    AccountExpired = false

    Thanks. I imagine there is more information that I will need to provide, I am just not certain exactly what is needed. I am still pretty new to Clearpass.



  • 2.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect

    Posted Mar 28, 2024 03:11 PM

    Hi

    Can you provide screenshots of the configuration of the guest authentication services you have configured?

    The attributes should be assigned by enforcement profiles of the type ClearPass Endpoint Update Enforcement that are applied when the guest signs in to the captive portal.

    The two attributes AccountEnabled and AccountExpired are values from the Guest Device Repository.

    In the Service for guest logon you have to have the Guest Device Repository as one of the authentication sources if you would like the guests to be able to register for a guest account and log in. You also need to add [Time Source] as an Authorization source to the service. Otherwise time staps will not be written correctly.

    If you utilize the service template for Guest Authentication with MAC Caching and create the two services, you will also get the enforcement profiles that will write the needed information to the Endpoints Repository, and a role mapping policy utilizing the information in the Guest Device repository.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect

    Posted Mar 28, 2024 03:56 PM

    Looks like Guest User & Device Repository is already set as an Authentication Source.

    We have the service for Guest Authentication with MAC Caching as well, with Endpoints Repository and a role mapping policy. Uncertain if the role mapping policy is using Guest Device Repository, so I'll upload a screenshot of that Role Mapping Policy below.




  • 4.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect
    Best Answer

    Posted Mar 28, 2024 08:10 PM

    Your MAC auth service shouldn't be setting any attributes on the endpoint since the MAC auth service is trying to read those attributes.  You need to share the enforcement tab from the Test User Authentication with MAC Caching service.  There should be a condition similar to my screenshot, that includes a policy that tags the attributes.  Need to make sure that the source of the data ([Time Source] when talking about a timestamp) is included as an authorization source.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------



  • 5.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect

    Posted Apr 01, 2024 08:58 AM
    Edited by mccoyjac Apr 01, 2024 11:12 AM

    Here is the Enforcement tab of my User Auth with MAC Caching service

    EDIT: I updated the Enforcement Policy in that service to include the Make-Cisco-Guest-Valid profile, that should add the Allow-Guest-Internet = true attribute to endpoints 

    EDIT2: Guest Wireless is now working. It looks like we already had an Enforcement Profile in place with Test User Authentication with MAC Caching Enforcement Policy to update endpoint known and apply the created Attribute, I just overlooked it. It can be found in the Test Guest Profile enforcement profile that is applied to the above stated Service. The real issue I was having seemed to be a mismatch with the SSID I had in both running services to what was actually being broadcast. i.e., COMPANY-GUEST1 vs COMPANY-GUEST, when the latter was the correct SSID that was being broadcasted. I also adjusted the order of the services to where Test User Auth...is first, before Test MAC Authentication.




  • 6.  RE: ClearPass Attributes not getting added to endpoint after going through portal redirect

    Posted Apr 01, 2024 02:59 PM

    Good to hear.  User auth before MAC auth in the service list isn't going to make a difference as the service categorization criteria is different.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------