Security

 View Only
last person joined: 19 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Devices that can't register via captive portal

Jump to Best Answer
This thread has been viewed 39 times
  • 1.  Devices that can't register via captive portal

    Posted May 20, 2022 10:25 AM

    I have a new Clearpass captive portal self-registration with self-sponsorship Guest-WiFi service configured. It's not been a pain free process, but it now works.
    When a client first connects they given a guest-logon role, they complete the form, submit, get a new guest-access role with internet access and have 5 mins to click the link in their email to sponsor themselves to upgrade from 5 mins web access to 24 hours web access. So far so good.

    Where I'm stuck is with devices that I need to register to this WiFi service (because they're not 802.1X compliant for our main WLAN). I just can't get my head round how to upload these devices so that they just connect and don't expire. In the device upload csv file I've set the guest-access role, but that doesn't work. I've created a sponsorship user and allocated the guest-access role, but still no good. Each attempt sees me hit with the WEBAUTH REJECT message, even though the device I'm testing with is known.

    Anyone got any ideas on what I'm missing? 

    Thanks

    Nathan



    ------------------------------
    nathan millward
    ------------------------------


  • 2.  RE: Devices that can't register via captive portal

    EMPLOYEE
    Posted May 20, 2022 10:46 AM
    There should be a service that does mac authentication.   That is the service that first checks to see if the device is in the endpoints database, so that they can skip authentication.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 3.  RE: Devices that can't register via captive portal

    Posted May 20, 2022 11:02 AM

    I've got the MACAUTH service configured as that's part of the captive portal config, but I don't seem to be hitting that service:





    ------------------------------
    nathan millward
    ------------------------------



  • 4.  RE: Devices that can't register via captive portal

    EMPLOYEE
    Posted May 20, 2022 11:08 AM
    You will only hit that service on initial association of a device.  To get the device to do mac authentication again, for say testing, you would have to delete them from the controller's user table.

    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 5.  RE: Devices that can't register via captive portal

    Posted May 20, 2022 11:16 AM

    And is deleting from the user table more involved then selecting 'Delete wireless client' here?

    Because when I delete like this, and reconnect the test device, I still get WEBAUTH REJECT.

    By-the-way, thanks for looking at this.


    edit:

    Prior to connecting the cluster member shows no client. Client connects, and gets dropped in the wrong role despite the correct role specified in the service


    ------------------------------
    nathan millward
    ------------------------------



  • 6.  RE: Devices that can't register via captive portal

    EMPLOYEE
    Posted May 20, 2022 12:22 PM

    Deleting it from the user table is what you are doing in the GUI.  yes, that is what I was talking about.

    Look at the access tracker to see what attributes are being passed back to the controller and why.  If it is getting the wrong role, then ClearPass is not configured properly to have that client bypass authentication.



    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
    ------------------------------



  • 7.  RE: Devices that can't register via captive portal

    Posted May 22, 2022 11:04 PM
    Which service template did you use? The "Guest Authentication with MAC Caching" service template doesn't allow for what you want. You need to either edit it (which I have done, including adding a new device role for this sort of device) or just add a new service based on the "Device MAC Authentication" template. I'm not sure on how the two would interact though.

    ------------------------------
    James Andrewartha
    ------------------------------



  • 8.  RE: Devices that can't register via captive portal

    Posted May 23, 2022 11:15 AM

    Thanks James.
    To answer something from cjoseph earlier first, the WEBAUTH REJECT was a red herring because I was searching the access tracker on username, when I should have been using host MAC. I thought the host MAC was being used as username, but for the MAC Auth service that's not the case.
    So I can now see that I do hit the Device MAC Auth policy element of the overall Guest-Wifi captive portal process:


    But the role being given is not the role I assigned to the device in the csv upload.

    So to your comments James, I used the MAC Caching template. I think I should be OK simply using the existing role (Guest-WiFi).
    Even though the endpoint is known, the MAC Auth services defaults to the logon role, unless the conditions are met for [MAC Caching]


    So does it stack up that I should be able to add a third condition here, ahead of current condition 2, to make the csv upload work?

    I'll see if I can figure this condition out.



    ------------------------------
    nathan millward
    ------------------------------



  • 9.  RE: Devices that can't register via captive portal
    Best Answer

    Posted May 23, 2022 11:57 PM
    So you've uploaded the CSV to the Guest device database, /guest/mac_import.php rather than the ClearPass (TIPS) device database /tips/tipsContent.action#tipsEndpoints.action ? If so, you need to have a condition in the Roles tab like:

    (Authorization:[Guest Device Repository]:Device Role ID  EQUALS  4) guest-access

    Although you need to confirm the Device Role ID for guest-access. Then in Enforcement, you'd have (Tips:Role EQUALS guest-access) as an OR of the first condition (or its own condition with the same (or different) enforcement profiles).

    The core issue here is that ClearPass has two device repositories, one in the captive portal side [Guest Device Repository], one in the ClearPass (TIPS RADIUS server) side [Endpoints Repository]. Once you understand that it doing what you want becomes a bit clearer.

    ------------------------------
    James Andrewartha
    ------------------------------



  • 10.  RE: Devices that can't register via captive portal

    Posted May 24, 2022 11:54 AM

    Thanks James. I thought with what you commented there I was about to figure it out. Overall it sounded straight-forward. I failed to figure it out.

    "you need to have a condition in the Roles tab like:

    (Authorization:[Guest Device Repository]:Device Role ID  EQUALS  4) guest-access

    "

    So to the MAC Auth service I added condition 2 to the Roles tab:

    And to the enforcement tab I couldn't figure out where to find 'OR' and ended up only with 'AND'


    So deleted that, and went for what you said next, it's own condition

    So I've re-uploaded the client with a new role specified in the csv of Guest-WiFi-Portal Workaround (having made that role available to Guest, and created the new role on the controller with an allow-all ipv4 rule) but that didn't work. 
    So I made the Workaround rule first in the list, that didn't work either. I put MAC Caching back as first in the list.
    Led by your comment about the two repositories I noticed that the MAC Auth service was only using Endpoints Repo, so I added Guest Device Repo
    And I got a successful and fast authentication!

    Weird thing for me now is that the role shown on the controller is not the new '...Portal-Workaround' role, but the original Guest-WiFi role that I wanted to use. Now I need to get to the bottom of why that's the case.

    I really hate Clearpass, I just can't figure it out, and I've been trying for way longer than I'm willing to admit!
    Thanks for your input yesterday, I'd still be nowhere without it.
    Nathan.



    ------------------------------
    nathan millward
    ------------------------------