View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Guest wi-fi with MAC caching matching guest-logon role

This thread has been viewed 36 times
  • 1.  Guest wi-fi with MAC caching matching guest-logon role

    Posted May 30, 2023 07:01 PM

    Hi All,

    I setup a service for in the Aruba controller and Clearpass for Guest wi-fi with captive portal and MAC caching.  I've got it up to the point where I can connect the the SSID, get the captive portal page and authenticate.

    Clearpass Access tracker shows I'm authenticated both in the user and MAC service.  But in the controller I can see my client is still in the guest-logon role, that the wizard setup in the beginning.

    If I look at my enforcement policy, it looks like it's trying to MATCH ALL [Contractor], [User Authenticated], and [MAC caching].  I don't think it's doing that so it's failing to Condition 3 where it sends me back to the Guest-logon role.

    Here is a look at the RADIUS request info:

    Request Details Summary -
     Session Identifier: R000ef244-01-64767cf3
     Date and Time: May 30, 2023 15:47:15 PDT
     Username: 181dea34e9c8
     End-Host Identifier: 181DEA34E9C8
     Access Device IP/Port:
     Access Device Name: oes-mm
     Audit Posture Status: UNKNOWN (100)
     System Posture Status: UNKNOWN (100)
     Login Status: ACCEPT

    Policies Used -
     Service: Guest_ MAC Authentication
     Authentication Method: MAC-AUTH
     Authentication Source: None
     Authorization Source: [Guest User Repository], [Endpoints Repository], [Time Source]
     Roles: [Contractor], [User Authenticated]
     Enforcement Profiles: [Allow Access Profile], Guest_ Captive Portal Profile
     Service Monitor Mode: Disabled

    Input RADIUS Attributes -
     Radius:Aruba:Aruba-AP-Group = Drinkward
     Radius:Aruba:Aruba-Essid-Name = z_guest
     Radius:Aruba:Aruba-Location-Id = US DC Tech office new
     Radius:IETF:Called-Station-Id = 000B86B7F5E7
     Radius:IETF:Calling-Station-Id = 181DEA34E9C8
     Radius:IETF:NAS-IP-Address =
     Radius:IETF:NAS-Port = 0
     Radius:IETF:NAS-Port-Type = 19
     Radius:IETF:Service-Type = 10
     Radius:IETF:User-Name = 181dea34e9c8

    Input Computed Attributes -
     Authentication:ErrorCode = 0
     Authentication:Full-Username = 181dea34e9c8
     Authentication:Full-Username-Normalized = 181dea34e9c8
     Authentication:MacAuth = UnknownClient
     Authentication:OuterMethod = MAC-AUTH
     Authentication:Posture = Unknown
     Authentication:Status = MAB
     Authentication:Username = 181dea34e9c8
     Authorization:Sources = [Guest User Repository], [Endpoints Repository], [Time Source]
     Connection:AP-Name = US DC Tech office new
     Connection:Client-Mac-Address = 181DEA34E9C8
     Connection:Client-Mac-Address-Colon = 18:1d:ea:34:e9:c8
     Connection:Client-Mac-Address-Dot = 181d.ea34.e9c8
     Connection:Client-Mac-Address-Hyphen = 18-1d-ea-34-e9-c8
     Connection:Client-Mac-Address-NoDelim = 181dea34e9c8
     Connection:Client-Mac-Address-Upper-Hyphen = 18-1D-EA-34-E9-C8
     Connection:Client-Mac-Vendor = Intel Corporate
     Connection:Dest-IP-Address =
     Connection:Dest-Port = 1812
     Connection:NAD-IP-Address =
     Connection:Protocol = RADIUS
     Connection:Src-IP-Address =
     Connection:Src-Port = 57297
     Connection:SSID = z_guest
     Date:Date-Time = 2023-05-30 15:47:15
     Endpoint:Guest Role ID = 1
     Endpoint:Username =

    Input Authorization Attributes -
     Authorization:[Endpoints Repository]:Unique-Device-Count = 1
     Authorization:[Guest User Repository]:AccountEnabled = true
     Authorization:[Guest User Repository]:AccountExpired = false
     Authorization:[Time Source]:Now DT = 2023-05-30 15:00:00
     Authorization:[Time Source]:One Day DT = 2023-05-31 15:00:00
     Authorization:[Time Source]:One Month DT = 2023-06-30 15:00:00
     Authorization:[Time Source]:One Week DT = 2023-06-06 15:00:00
     Authorization:[Time Source]:Six Months DT = 2023-11-30 15:00:00

    Output RADIUS Attributes -
     Radius:Aruba:Aruba-User-Role = Guest Wi-Fi-guest-logon

  • 2.  RE: Guest wi-fi with MAC caching matching guest-logon role

    Posted May 31, 2023 01:14 AM

    Check. your settings in the guest login page settings for Login Method and address (see below):

    After logging into the page provided by ClearPass the client should be redirected back to the controller which triggers a subsequent RADIUS authentication request using the login credentials entered on the page. This is typically how deployments work, anyway (but there are alternative methods also).

    If you have loaded a public CA signed server certificate into the controller then use the FQDN from that certificate as the address in this field. If it's a wildcard then use captiveportal-login.<yourdomain> as the address (replacing <yourdomain> with the domain used for your certificate.

  • 3.  RE: Guest wi-fi with MAC caching matching guest-logon role

    Posted May 31, 2023 08:42 AM

    The key differences I see in your logs vs mine is that in the policies used I see "Authentication Source: Local:localhost". I also see  "Endpoint:MAC-Auth Expiry =" in the Input Computed Attributes. It looks like no details are being pulled from the Endpoint Repository for your radius request. This might mean that the Endpoint Updates have not taken place (which occur in a different service). Are there any attributes present in the endpoint entry for that client?

    Did you use the Guest with MAC auth service template?

  • 4.  RE: Guest wi-fi with MAC caching matching guest-logon role

    Posted May 31, 2023 10:32 AM

    Thanks for the reply.  Yes, yes and yes.  The web login is set to 'Controller-initiated,' I used the service template wizard, and the device was added to the endpoint database with two attributes:  username and Guest-role ID=1 which is what I would expect as I created the guest user with the role of Contractor (Guest is ID 2.)

  • 5.  RE: Guest wi-fi with MAC caching matching guest-logon role

    Posted May 31, 2023 03:28 PM

    I just deleted all the services and profiles created when I did the Aruba controller WLAN and Clearpass service template wizard, and recreated them.  I was very careful to make sure all the role names match.  But it's pretty much doing the same thing, except this time the endpoint has no attributes.  It should be getting Guest role ID, username, and MAC caching expiration.

    I get the captive portal, I log in, but i never leave the guest-guest-logon role.  Any ideas?

  • 6.  RE: Guest wi-fi with MAC caching matching guest-logon role

    Posted May 31, 2023 03:58 PM

  • 7.  RE: Guest wi-fi with MAC caching matching guest-logon role
    Best Answer

    Posted Jun 05, 2023 01:01 PM

    Turns out it was a certificate problem.  I had a wildcard certificate installed on the controller (captive portal) but I didn't have the root and intermediate installed.  Once I did that MAC caching worked.