Security

 View Only
last person joined: 23 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass free hour access to Wireless

This thread has been viewed 27 times
  • 1.  ClearPass free hour access to Wireless

    Posted Aug 03, 2022 07:06 AM
    Hi,

    recently we installed new Wireless Controller Aruba 7210.

    in the previous setup we had option on old WLC MSM760 to enable free access option for 1 hour. the authentication is done by the MAC address of the device connecting and once the time expires on the controller the device will be disconnected.

    will getting Clearpass to enable this option again will also work in the same way? which is mac address based countdown per mac address?

    I'm asking this question because I wanted to know if there is any solution done on the "randomize mac address" option on smartphones side to stop user from getting extra connection time....

    thanks


  • 2.  RE: ClearPass free hour access to Wireless

    Posted Aug 03, 2022 07:38 AM
    Nothing to stop MAC randomizations unfortunately unless you have an MDM.  You could create a splash page portal flow where if the client MAC address matches the random MAC OUIs, you can display a splash page for those clients telling them to disable.  All other client MAC addresses would be granted accept with a session-timeout of one hour and then some other endpoint database attribute to identify that they had already connected for an hour.

    Why even limit it at all to 1 hour though?  What is the use-case?  Why have this negative user experience at all?


  • 3.  RE: ClearPass free hour access to Wireless

    Posted Aug 03, 2022 07:47 AM
    we use the 1 hour because it is a hospital network and we have patients coming for outpatient so we have the free hour, the problem is employees are not allowed to connect but they use the free hour and keep changing mac addresses during working hours and I get the dhcp pool which is 1022 usable ip exhausted all the time.


  • 4.  RE: ClearPass free hour access to Wireless

    Posted Aug 03, 2022 08:06 AM
    That makes sense.  I see a couple of options here:
    • Block all random MAC OUIs from joining the SSID, or redirect those MAC OUIs to a captive portal informing them they must disable MAC randomization
    • Integrate ClearPass with an MDM and force all employees to register with the MDM.  ClearPass can deny any MDM registered device from joining the guest network and also force MAC randomization off.
    • Make your guest network subnet larger to encompass employee devices.



  • 5.  RE: ClearPass free hour access to Wireless

    Posted Aug 04, 2022 04:49 PM
    I'm curious about your response in blocking all random MAC OUI's.
    Is there a paper/process from Aruba on how to implement this?



  • 6.  RE: ClearPass free hour access to Wireless

    Posted Aug 04, 2022 05:44 PM
    Essentially there a couple of digits within a MAC address that identify it as being randomized.  If any MAC address meets this condition, you can take enforcement profile you wish, deny access, captive portal, etc.

    https://www.arubanetworks.com/assets/tg/TD_Mac-Address-Randomization.pdf


  • 7.  RE: ClearPass free hour access to Wireless

    Posted Aug 04, 2022 07:12 PM
    The technical details:

    The second character in a MAC address, if it is a 2, 6, A, or E is what identifies it as a randomized MAC address.

    • x2:xx:xx:xx:xx:xx
    • x6:xx:xx:xx:xx:xx
    • xA:xx:xx:xx:xx:xx
    • xE:xx:xx:xx:xx:xx

    You indicate there is a possibility of using a rule in ClearPass to identify these addresses and send them to another splash page.

    I'd like to see an example of the ClearPass service that performs this check.

    This issue is starting to occur more frequently, and I'm seeing the clients increase the DHCP scope...


  • 8.  RE: ClearPass free hour access to Wireless

    Posted Aug 04, 2022 09:09 PM
    Here is a fantastic Cisco community page discussing this topic from one of the former ISE TMEs: 
    That same regex can easily be used in a ClearPass Role Mapping or enforcement policy as Connection:Client MAC Address Matches_Regex: ^.[26AEae].*
     
    Then just take whatever action you want. You could deny that MAC address or redirect them to a captive portal hosted in ClearPass using the Aruba-Captive-Portal-URL VSA.





  • 9.  RE: ClearPass free hour access to Wireless

    EMPLOYEE
    Posted Aug 04, 2022 09:25 PM
    Thanks for sharing, very useful, just tested it.




    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------