Hi All,I setup a service for in the Aruba controller and Clearpass for Guest wi-fi with captive portal and MAC caching. I've got it up to the point where I can connect the the SSID, get the captive portal page and authenticate.Clearpass Access tracker shows I'm authenticated both in the user and MAC service. But in the controller I can see my client is still in the guest-logon role, that the wizard setup in the beginning.If I look at my enforcement policy, it looks like it's trying to MATCH ALL [Contractor], [User Authenticated], and [MAC caching]. I don't think it's doing that so it's failing to Condition 3 where it sends me back to the Guest-logon role.Here is a look at the RADIUS request info:
Request Details Summary - Session Identifier: R000ef244-01-64767cf3 Date and Time: May 30, 2023 15:47:15 PDT Username: 181dea34e9c8 End-Host Identifier: 181DEA34E9C8 Access Device IP/Port: 10.3.0.3:0 Access Device Name: oes-mm Audit Posture Status: UNKNOWN (100) System Posture Status: UNKNOWN (100) Login Status: ACCEPT
Policies Used - Service: Guest_ MAC Authentication Authentication Method: MAC-AUTH Authentication Source: None Authorization Source: [Guest User Repository], [Endpoints Repository], [Time Source] Roles: [Contractor], [User Authenticated] Enforcement Profiles: [Allow Access Profile], Guest_ Captive Portal Profile Service Monitor Mode: Disabled
Input RADIUS Attributes - Radius:Aruba:Aruba-AP-Group = Drinkward Radius:Aruba:Aruba-Essid-Name = z_guest Radius:Aruba:Aruba-Location-Id = US DC Tech office new Radius:IETF:Called-Station-Id = 000B86B7F5E7 Radius:IETF:Calling-Station-Id = 181DEA34E9C8 Radius:IETF:NAS-IP-Address = 10.3.0.3 Radius:IETF:NAS-Port = 0 Radius:IETF:NAS-Port-Type = 19 Radius:IETF:Service-Type = 10 Radius:IETF:User-Name = 181dea34e9c8
Input Computed Attributes - Authentication:ErrorCode = 0 Authentication:Full-Username = 181dea34e9c8 Authentication:Full-Username-Normalized = 181dea34e9c8 Authentication:MacAuth = UnknownClient Authentication:OuterMethod = MAC-AUTH Authentication:Posture = Unknown Authentication:Status = MAB Authentication:Username = 181dea34e9c8 Authorization:Sources = [Guest User Repository], [Endpoints Repository], [Time Source] Connection:AP-Name = US DC Tech office new Connection:Client-Mac-Address = 181DEA34E9C8 Connection:Client-Mac-Address-Colon = 18:1d:ea:34:e9:c8 Connection:Client-Mac-Address-Dot = 181d.ea34.e9c8 Connection:Client-Mac-Address-Hyphen = 18-1d-ea-34-e9-c8 Connection:Client-Mac-Address-NoDelim = 181dea34e9c8 Connection:Client-Mac-Address-Upper-Hyphen = 18-1D-EA-34-E9-C8 Connection:Client-Mac-Vendor = Intel Corporate Connection:Dest-IP-Address = 10.1.10.9 Connection:Dest-Port = 1812 Connection:NAD-IP-Address = 10.3.0.3 Connection:Protocol = RADIUS Connection:Src-IP-Address = 10.3.0.6 Connection:Src-Port = 57297 Connection:SSID = z_guest Date:Date-Time = 2023-05-30 15:47:15 Endpoint:Guest Role ID = 1 Endpoint:Username = firstname.lastname@example.org
Input Authorization Attributes - Authorization:[Endpoints Repository]:Unique-Device-Count = 1 Authorization:[Guest User Repository]:AccountEnabled = true Authorization:[Guest User Repository]:AccountExpired = false Authorization:[Time Source]:Now DT = 2023-05-30 15:00:00 Authorization:[Time Source]:One Day DT = 2023-05-31 15:00:00 Authorization:[Time Source]:One Month DT = 2023-06-30 15:00:00 Authorization:[Time Source]:One Week DT = 2023-06-06 15:00:00 Authorization:[Time Source]:Six Months DT = 2023-11-30 15:00:00
Output RADIUS Attributes - Radius:Aruba:Aruba-User-Role = Guest Wi-Fi-guest-logon
Check. your settings in the guest login page settings for Login Method and address (see below):After logging into the page provided by ClearPass the client should be redirected back to the controller which triggers a subsequent RADIUS authentication request using the login credentials entered on the page. This is typically how deployments work, anyway (but there are alternative methods also).If you have loaded a public CA signed server certificate into the controller then use the FQDN from that certificate as the address in this field. If it's a wildcard then use captiveportal-login.<yourdomain> as the address (replacing <yourdomain> with the domain used for your certificate.
The key differences I see in your logs vs mine is that in the policies used I see "Authentication Source: Local:localhost". I also see "Endpoint:MAC-Auth Expiry =" in the Input Computed Attributes. It looks like no details are being pulled from the Endpoint Repository for your radius request. This might mean that the Endpoint Updates have not taken place (which occur in a different service). Are there any attributes present in the endpoint entry for that client?Did you use the Guest with MAC auth service template?
Thanks for the reply. Yes, yes and yes. The web login is set to 'Controller-initiated,' I used the service template wizard, and the device was added to the endpoint database with two attributes: username and Guest-role ID=1 which is what I would expect as I created the guest user with the role of Contractor (Guest is ID 2.)
I just deleted all the services and profiles created when I did the Aruba controller WLAN and Clearpass service template wizard, and recreated them. I was very careful to make sure all the role names match. But it's pretty much doing the same thing, except this time the endpoint has no attributes. It should be getting Guest role ID, username, and MAC caching expiration.I get the captive portal, I log in, but i never leave the guest-guest-logon role. Any ideas?
Original Message:Sent: May 31, 2023 08:42 AMFrom: ProbeRequestSubject: Guest wi-fi with MAC caching matching guest-logon role
Original Message:Sent: May 30, 2023 07:01 PMFrom: OESTechSubject: Guest wi-fi with MAC caching matching guest-logon role
Original Message:Sent: May 31, 2023 10:32 AMFrom: OESTechSubject: Guest wi-fi with MAC caching matching guest-logon role
Turns out it was a certificate problem. I had a wildcard certificate installed on the controller (captive portal) but I didn't have the root and intermediate installed. Once I did that MAC caching worked.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.