I have a new Clearpass captive portal self-registration with self-sponsorship Guest-WiFi service configured. It's not been a pain free process, but it now works.When a client first connects they given a guest-logon role, they complete the form, submit, get a new guest-access role with internet access and have 5 mins to click the link in their email to sponsor themselves to upgrade from 5 mins web access to 24 hours web access. So far so good.Where I'm stuck is with devices that I need to register to this WiFi service (because they're not 802.1X compliant for our main WLAN). I just can't get my head round how to upload these devices so that they just connect and don't expire. In the device upload csv file I've set the guest-access role, but that doesn't work. I've created a sponsorship user and allocated the guest-access role, but still no good. Each attempt sees me hit with the WEBAUTH REJECT message, even though the device I'm testing with is known.Anyone got any ideas on what I'm missing?
I've got the MACAUTH service configured as that's part of the captive portal config, but I don't seem to be hitting that service:
And is deleting from the user table more involved then selecting 'Delete wireless client' here?
Because when I delete like this, and reconnect the test device, I still get WEBAUTH REJECT.
By-the-way, thanks for looking at this.
Prior to connecting the cluster member shows no client. Client connects, and gets dropped in the wrong role despite the correct role specified in the service
Deleting it from the user table is what you are doing in the GUI. yes, that is what I was talking about.Look at the access tracker to see what attributes are being passed back to the controller and why. If it is getting the wrong role, then ClearPass is not configured properly to have that client bypass authentication.
------------------------------nathan millwardOriginal Message:Sent: May 20, 2022 11:08 AMFrom: Colin JosephSubject: Devices that can't register via captive portalYou will only hit that service on initial association of a device. To get the device to do mac authentication again, for say testing, you would have to delete them from the controller's user table.------------------------------Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=cardOriginal Message:Sent: May 20, 2022 11:01 AMFrom: nathan millwardSubject: Devices that can't register via captive portal
Thanks James.To answer something from cjoseph earlier first, the WEBAUTH REJECT was a red herring because I was searching the access tracker on username, when I should have been using host MAC. I thought the host MAC was being used as username, but for the MAC Auth service that's not the case.So I can now see that I do hit the Device MAC Auth policy element of the overall Guest-Wifi captive portal process:
But the role being given is not the role I assigned to the device in the csv upload.So to your comments James, I used the MAC Caching template. I think I should be OK simply using the existing role (Guest-WiFi).Even though the endpoint is known, the MAC Auth services defaults to the logon role, unless the conditions are met for [MAC Caching]
So does it stack up that I should be able to add a third condition here, ahead of current condition 2, to make the csv upload work?
I'll see if I can figure this condition out.
------------------------------nathan millwardOriginal Message:Sent: May 22, 2022 11:03 PMFrom: James AndrewarthaSubject: Devices that can't register via captive portalWhich service template did you use? The "Guest Authentication with MAC Caching" service template doesn't allow for what you want. You need to either edit it (which I have done, including adding a new device role for this sort of device) or just add a new service based on the "Device MAC Authentication" template. I'm not sure on how the two would interact though.------------------------------James AndrewarthaOriginal Message:Sent: May 20, 2022 10:24 AMFrom: nathan millwardSubject: Devices that can't register via captive portal
Thanks James. I thought with what you commented there I was about to figure it out. Overall it sounded straight-forward. I failed to figure it out.
"you need to have a condition in the Roles tab like:
"So to the MAC Auth service I added condition 2 to the Roles tab:And to the enforcement tab I couldn't figure out where to find 'OR' and ended up only with 'AND'
So deleted that, and went for what you said next, it's own conditionSo I've re-uploaded the client with a new role specified in the csv of Guest-WiFi-Portal Workaround (having made that role available to Guest, and created the new role on the controller with an allow-all ipv4 rule) but that didn't work. So I made the Workaround rule first in the list, that didn't work either. I put MAC Caching back as first in the list.Led by your comment about the two repositories I noticed that the MAC Auth service was only using Endpoints Repo, so I added Guest Device RepoAnd I got a successful and fast authentication!Weird thing for me now is that the role shown on the controller is not the new '...Portal-Workaround' role, but the original Guest-WiFi role that I wanted to use. Now I need to get to the bottom of why that's the case.I really hate Clearpass, I just can't figure it out, and I've been trying for way longer than I'm willing to admit!Thanks for your input yesterday, I'd still be nowhere without it.Nathan.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.