Security

Hello guys,

I have a bit of a doozy here that I'm trying to solve. This is for a guest network. Pertinent details below:

- Guest wireless system using captive portal + MAC caching
- Server-initiated setup
- Interfaces with Cisco WLCs
- Clients initiate with L2 MAC authentication. This service looks to see if Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}). If this is is true, it sends back an allow access. If not, it sends back a captive portal enforcement policy that returns url-redirect and url-redirect-acl
- Portal accept button triggers a WEBAUTH that processes the request and updates two Endpoint values. Allow-Guest-Internet (boolean) and MAC-Address-Expiration (epoch)
- Allow-Guest-Internet set to TRUE
- MAC-Address-Expiration set to %{Authorization:[Time Source]:Now Plus 1day} (not a custom Time Source filter)
- Client is set a CoA (below)


- The client reauthenticates via L2 with the export anchor still active on the WLC anchor side
- At this point, the client should satisfy Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}) so it will be given an allow access profile.
- Login delay on page is set to 8 seconds
- CoA delay on clearpass servers is set to 8 seconds

The problem:

Intermittently, clearpass is FAILING to write the output values of the WEBAUTH request into the endpoint database so the subsequent MAC auth triggers the portal again instead of an allow access. Clients on iPhones will get the hotspot login page error. Other devices will loop around the portal again. It depends on the device.

Visual evidence:

Here is a client exhibiting the problem.

MAC Auth #1 Client has a previous value that is now expired of 1684682572. Time Source Now = 1684758610


WEBAUTH Request Output. New expiration value = 1684848708


MAC Auth #2. Shows MAC-Auth-Expiration value of 1684682572 which was the ORIGINAL value, not the updated one. 


Client then went through the portal again, and on the second go around, it updated.

I'm at a loss here and can't understand why the DB is failing to write these values intermittently. System stats are not not showing anything taxed, however I do see events in the event viewer showing long running queries so that's evidence to suggest the disk is not keeping up with these random I/O reads and writes. Another thing I'm looking at is our maximum number of DB connections is set to the default of 400. Would increasing this to 700  (or more) per Airheads Community be helpful?

Any thoughts? I would be extremely grateful for any help with this. I do have a TAC case open but I wanted to get y'alls opnion on this as well.

Thanks,
Max Turpin

Hello guys,

I have a bit of a doozy here that I'm trying to solve. This is for a guest network. Pertinent details below:

- Guest wireless system using captive portal + MAC caching
- Server-initiated setup
- Interfaces with Cisco WLCs
- Clients initiate with L2 MAC authentication. This service looks to see if Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}). If this is is true, it sends back an allow access. If not, it sends back a captive portal enforcement policy that returns url-redirect and url-redirect-acl
- Portal accept button triggers a WEBAUTH that processes the request and updates two Endpoint values. Allow-Guest-Internet (boolean) and MAC-Address-Expiration (epoch)
- Allow-Guest-Internet set to TRUE
- MAC-Address-Expiration set to %{Authorization:[Time Source]:Now Plus 1day} (not a custom Time Source filter)
- Client is set a CoA (below)


- The client reauthenticates via L2 with the export anchor still active on the WLC anchor side
- At this point, the client should satisfy Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}) so it will be given an allow access profile.
- Login delay on page is set to 8 seconds
- CoA delay on clearpass servers is set to 8 seconds

The problem:

Intermittently, clearpass is FAILING to write the output values of the WEBAUTH request into the endpoint database so the subsequent MAC auth triggers the portal again instead of an allow access. Clients on iPhones will get the hotspot login page error. Other devices will loop around the portal again. It depends on the device.

Visual evidence:

Here is a client exhibiting the problem.

MAC Auth #1 Client has a previous value that is now expired of 1684682572. Time Source Now = 1684758610


WEBAUTH Request Output. New expiration value = 1684848708


MAC Auth #2. Shows MAC-Auth-Expiration value of 1684682572 which was the ORIGINAL value, not the updated one. 


Client then went through the portal again, and on the second go around, it updated.

I'm at a loss here and can't understand why the DB is failing to write these values intermittently. System stats are not not showing anything taxed, however I do see events in the event viewer showing long running queries so that's evidence to suggest the disk is not keeping up with these random I/O reads and writes. Another thing I'm looking at is our maximum number of DB connections is set to the default of 400. Would increasing this to 700  (or more) per Airheads Community be helpful?

Any thoughts? I would be extremely grateful for any help with this. I do have a TAC case open but I wanted to get y'alls opnion on this as well.

Thanks,
Max Turpin

I would love to know what you found out on this. We are having the exact same issue. Intermittent. Seems the attribute just isn't getting written in time for the re-login after the COA delay. Not every time, but enough times that its causing issues.

Thanks,

David

Hello guys,

I have a bit of a doozy here that I'm trying to solve. This is for a guest network. Pertinent details below:

- Guest wireless system using captive portal + MAC caching
- Server-initiated setup
- Interfaces with Cisco WLCs
- Clients initiate with L2 MAC authentication. This service looks to see if Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}). If this is is true, it sends back an allow access. If not, it sends back a captive portal enforcement policy that returns url-redirect and url-redirect-acl
- Portal accept button triggers a WEBAUTH that processes the request and updates two Endpoint values. Allow-Guest-Internet (boolean) and MAC-Address-Expiration (epoch)
- Allow-Guest-Internet set to TRUE
- MAC-Address-Expiration set to %{Authorization:[Time Source]:Now Plus 1day} (not a custom Time Source filter)
- Client is set a CoA (below)


- The client reauthenticates via L2 with the export anchor still active on the WLC anchor side
- At this point, the client should satisfy Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}) so it will be given an allow access profile.
- Login delay on page is set to 8 seconds
- CoA delay on clearpass servers is set to 8 seconds

The problem:

Intermittently, clearpass is FAILING to write the output values of the WEBAUTH request into the endpoint database so the subsequent MAC auth triggers the portal again instead of an allow access. Clients on iPhones will get the hotspot login page error. Other devices will loop around the portal again. It depends on the device.

Visual evidence:

Here is a client exhibiting the problem.

MAC Auth #1 Client has a previous value that is now expired of 1684682572. Time Source Now = 1684758610


WEBAUTH Request Output. New expiration value = 1684848708


MAC Auth #2. Shows MAC-Auth-Expiration value of 1684682572 which was the ORIGINAL value, not the updated one. 


Client then went through the portal again, and on the second go around, it updated.

I'm at a loss here and can't understand why the DB is failing to write these values intermittently. System stats are not not showing anything taxed, however I do see events in the event viewer showing long running queries so that's evidence to suggest the disk is not keeping up with these random I/O reads and writes. Another thing I'm looking at is our maximum number of DB connections is set to the default of 400. Would increasing this to 700  (or more) per Airheads Community be helpful?

Any thoughts? I would be extremely grateful for any help with this. I do have a TAC case open but I wanted to get y'alls opnion on this as well.

Thanks,
Max Turpin

We ditched CWA and went to controller initiated. Set virtual IP to 192.0.2.1, generated self signed certs on foreign and publicly signed wifi-remote.xyz.com cert for the anchors. NAS FQDN Hostname is wifi-remote.xyz. Change the ACL back to the right direction and make that return of your MAC auth. I wrote about it on my blog

https://wiflymax.wordpress.com/2023/07/25/cisco-wlc-guest-wifi-with-mac-caching-and-anchor-wlc-clearpass-controller-initiated/

I would love to know what you found out on this. We are having the exact same issue. Intermittent. Seems the attribute just isn't getting written in time for the re-login after the COA delay. Not every time, but enough times that its causing issues.

Thanks,

David

Hello guys,

I have a bit of a doozy here that I'm trying to solve. This is for a guest network. Pertinent details below:

- Guest wireless system using captive portal + MAC caching
- Server-initiated setup
- Interfaces with Cisco WLCs
- Clients initiate with L2 MAC authentication. This service looks to see if Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}). If this is is true, it sends back an allow access. If not, it sends back a captive portal enforcement policy that returns url-redirect and url-redirect-acl
- Portal accept button triggers a WEBAUTH that processes the request and updates two Endpoint values. Allow-Guest-Internet (boolean) and MAC-Address-Expiration (epoch)
- Allow-Guest-Internet set to TRUE
- MAC-Address-Expiration set to %{Authorization:[Time Source]:Now Plus 1day} (not a custom Time Source filter)
- Client is set a CoA (below)


- The client reauthenticates via L2 with the export anchor still active on the WLC anchor side
- At this point, the client should satisfy Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}) so it will be given an allow access profile.
- Login delay on page is set to 8 seconds
- CoA delay on clearpass servers is set to 8 seconds

The problem:

Intermittently, clearpass is FAILING to write the output values of the WEBAUTH request into the endpoint database so the subsequent MAC auth triggers the portal again instead of an allow access. Clients on iPhones will get the hotspot login page error. Other devices will loop around the portal again. It depends on the device.

Visual evidence:

Here is a client exhibiting the problem.

MAC Auth #1 Client has a previous value that is now expired of 1684682572. Time Source Now = 1684758610


WEBAUTH Request Output. New expiration value = 1684848708


MAC Auth #2. Shows MAC-Auth-Expiration value of 1684682572 which was the ORIGINAL value, not the updated one. 


Client then went through the portal again, and on the second go around, it updated.

I'm at a loss here and can't understand why the DB is failing to write these values intermittently. System stats are not not showing anything taxed, however I do see events in the event viewer showing long running queries so that's evidence to suggest the disk is not keeping up with these random I/O reads and writes. Another thing I'm looking at is our maximum number of DB connections is set to the default of 400. Would increasing this to 700  (or more) per Airheads Community be helpful?

Any thoughts? I would be extremely grateful for any help with this. I do have a TAC case open but I wanted to get y'alls opnion on this as well.

Thanks,
Max Turpin

Thanks for the reply!

We actually are having the attributes being slow to write issue without it being involved with anchoring or publisher/subscriber. Its just......slow to write the attribute. :)

Thank you for your write up though. I think a lot of people are going to find that useful.

David

We ditched CWA and went to controller initiated. Set virtual IP to 192.0.2.1, generated self signed certs on foreign and publicly signed wifi-remote.xyz.com cert for the anchors. NAS FQDN Hostname is wifi-remote.xyz. Change the ACL back to the right direction and make that return of your MAC auth. I wrote about it on my blog

https://wiflymax.wordpress.com/2023/07/25/cisco-wlc-guest-wifi-with-mac-caching-and-anchor-wlc-clearpass-controller-initiated/

I would love to know what you found out on this. We are having the exact same issue. Intermittent. Seems the attribute just isn't getting written in time for the re-login after the COA delay. Not every time, but enough times that its causing issues.

Thanks,

David

Hello guys,

I have a bit of a doozy here that I'm trying to solve. This is for a guest network. Pertinent details below:

- Guest wireless system using captive portal + MAC caching
- Server-initiated setup
- Interfaces with Cisco WLCs
- Clients initiate with L2 MAC authentication. This service looks to see if Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}). If this is is true, it sends back an allow access. If not, it sends back a captive portal enforcement policy that returns url-redirect and url-redirect-acl
- Portal accept button triggers a WEBAUTH that processes the request and updates two Endpoint values. Allow-Guest-Internet (boolean) and MAC-Address-Expiration (epoch)
- Allow-Guest-Internet set to TRUE
- MAC-Address-Expiration set to %{Authorization:[Time Source]:Now Plus 1day} (not a custom Time Source filter)
- Client is set a CoA (below)


- The client reauthenticates via L2 with the export anchor still active on the WLC anchor side
- At this point, the client should satisfy Authorization:[Time Source]:Now  LESS_THAN  %{Endpoint:MAC-Address-Expiration}) so it will be given an allow access profile.
- Login delay on page is set to 8 seconds
- CoA delay on clearpass servers is set to 8 seconds

The problem:

Intermittently, clearpass is FAILING to write the output values of the WEBAUTH request into the endpoint database so the subsequent MAC auth triggers the portal again instead of an allow access. Clients on iPhones will get the hotspot login page error. Other devices will loop around the portal again. It depends on the device.

Visual evidence:

Here is a client exhibiting the problem.

MAC Auth #1 Client has a previous value that is now expired of 1684682572. Time Source Now = 1684758610


WEBAUTH Request Output. New expiration value = 1684848708


MAC Auth #2. Shows MAC-Auth-Expiration value of 1684682572 which was the ORIGINAL value, not the updated one. 


Client then went through the portal again, and on the second go around, it updated.

I'm at a loss here and can't understand why the DB is failing to write these values intermittently. System stats are not not showing anything taxed, however I do see events in the event viewer showing long running queries so that's evidence to suggest the disk is not keeping up with these random I/O reads and writes. Another thing I'm looking at is our maximum number of DB connections is set to the default of 400. Would increasing this to 700  (or more) per Airheads Community be helpful?

Any thoughts? I would be extremely grateful for any help with this. I do have a TAC case open but I wanted to get y'alls opnion on this as well.

Thanks,
Max Turpin