Turns out it was a certificate problem. I had a wildcard certificate installed on the controller (captive portal) but I didn't have the root and intermediate installed. Once I did that MAC caching worked.
Original Message:
Sent: May 31, 2023 03:57 PM
From: OESTech
Subject: Guest wi-fi with MAC caching matching guest-logon role
Original Message:
Sent: May 31, 2023 03:27 PM
From: OESTech
Subject: Guest wi-fi with MAC caching matching guest-logon role
I just deleted all the services and profiles created when I did the Aruba controller WLAN and Clearpass service template wizard, and recreated them. I was very careful to make sure all the role names match. But it's pretty much doing the same thing, except this time the endpoint has no attributes. It should be getting Guest role ID, username, and MAC caching expiration.
I get the captive portal, I log in, but i never leave the guest-guest-logon role. Any ideas?
Original Message:
Sent: May 31, 2023 10:32 AM
From: OESTech
Subject: Guest wi-fi with MAC caching matching guest-logon role
Thanks for the reply. Yes, yes and yes. The web login is set to 'Controller-initiated,' I used the service template wizard, and the device was added to the endpoint database with two attributes: username and Guest-role ID=1 which is what I would expect as I created the guest user with the role of Contractor (Guest is ID 2.)
Original Message:
Sent: May 31, 2023 08:42 AM
From: ProbeRequest
Subject: Guest wi-fi with MAC caching matching guest-logon role
The key differences I see in your logs vs mine is that in the policies used I see "Authentication Source: Local:localhost". I also see "Endpoint:MAC-Auth Expiry =" in the Input Computed Attributes. It looks like no details are being pulled from the Endpoint Repository for your radius request. This might mean that the Endpoint Updates have not taken place (which occur in a different service). Are there any attributes present in the endpoint entry for that client?
Did you use the Guest with MAC auth service template?
Original Message:
Sent: May 30, 2023 07:01 PM
From: OESTech
Subject: Guest wi-fi with MAC caching matching guest-logon role
Hi All,
I setup a service for in the Aruba controller and Clearpass for Guest wi-fi with captive portal and MAC caching. I've got it up to the point where I can connect the the SSID, get the captive portal page and authenticate.
Clearpass Access tracker shows I'm authenticated both in the user and MAC service. But in the controller I can see my client is still in the guest-logon role, that the wizard setup in the beginning.
If I look at my enforcement policy, it looks like it's trying to MATCH ALL [Contractor], [User Authenticated], and [MAC caching]. I don't think it's doing that so it's failing to Condition 3 where it sends me back to the Guest-logon role.
Here is a look at the RADIUS request info:
Request Details Summary -
Session Identifier: R000ef244-01-64767cf3
Date and Time: May 30, 2023 15:47:15 PDT
Username: 181dea34e9c8
End-Host Identifier: 181DEA34E9C8
Access Device IP/Port: 10.3.0.3:0
Access Device Name: oes-mm
Audit Posture Status: UNKNOWN (100)
System Posture Status: UNKNOWN (100)
Login Status: ACCEPT
Policies Used -
Service: Guest_ MAC Authentication
Authentication Method: MAC-AUTH
Authentication Source: None
Authorization Source: [Guest User Repository], [Endpoints Repository], [Time Source]
Roles: [Contractor], [User Authenticated]
Enforcement Profiles: [Allow Access Profile], Guest_ Captive Portal Profile
Service Monitor Mode: Disabled
Input RADIUS Attributes -
Radius:Aruba:Aruba-AP-Group = Drinkward
Radius:Aruba:Aruba-Essid-Name = z_guest
Radius:Aruba:Aruba-Location-Id = US DC Tech office new
Radius:IETF:Called-Station-Id = 000B86B7F5E7
Radius:IETF:Calling-Station-Id = 181DEA34E9C8
Radius:IETF:NAS-IP-Address = 10.3.0.3
Radius:IETF:NAS-Port = 0
Radius:IETF:NAS-Port-Type = 19
Radius:IETF:Service-Type = 10
Radius:IETF:User-Name = 181dea34e9c8
Input Computed Attributes -
Authentication:ErrorCode = 0
Authentication:Full-Username = 181dea34e9c8
Authentication:Full-Username-Normalized = 181dea34e9c8
Authentication:MacAuth = UnknownClient
Authentication:OuterMethod = MAC-AUTH
Authentication:Posture = Unknown
Authentication:Status = MAB
Authentication:Username = 181dea34e9c8
Authorization:Sources = [Guest User Repository], [Endpoints Repository], [Time Source]
Connection:AP-Name = US DC Tech office new
Connection:Client-Mac-Address = 181DEA34E9C8
Connection:Client-Mac-Address-Colon = 18:1d:ea:34:e9:c8
Connection:Client-Mac-Address-Dot = 181d.ea34.e9c8
Connection:Client-Mac-Address-Hyphen = 18-1d-ea-34-e9-c8
Connection:Client-Mac-Address-NoDelim = 181dea34e9c8
Connection:Client-Mac-Address-Upper-Hyphen = 18-1D-EA-34-E9-C8
Connection:Client-Mac-Vendor = Intel Corporate
Connection:Dest-IP-Address = 10.1.10.9
Connection:Dest-Port = 1812
Connection:NAD-IP-Address = 10.3.0.3
Connection:Protocol = RADIUS
Connection:Src-IP-Address = 10.3.0.6
Connection:Src-Port = 57297
Connection:SSID = z_guest
Date:Date-Time = 2023-05-30 15:47:15
Endpoint:Guest Role ID = 1
Endpoint:Username = rtester@oes.edu
Input Authorization Attributes -
Authorization:[Endpoints Repository]:Unique-Device-Count = 1
Authorization:[Guest User Repository]:AccountEnabled = true
Authorization:[Guest User Repository]:AccountExpired = false
Authorization:[Time Source]:Now DT = 2023-05-30 15:00:00
Authorization:[Time Source]:One Day DT = 2023-05-31 15:00:00
Authorization:[Time Source]:One Month DT = 2023-06-30 15:00:00
Authorization:[Time Source]:One Week DT = 2023-06-06 15:00:00
Authorization:[Time Source]:Six Months DT = 2023-11-30 15:00:00
Output RADIUS Attributes -
Radius:Aruba:Aruba-User-Role = Guest Wi-Fi-guest-logon