Hi @athan,
i think it's cool that you want to learn more about ClearPass. Maybe one day you will configure only ClearPass and Aruba devices ;))
I try to explain the basic things for better understanding.
You have run the wizard for "Guest Authentication with MAC Caching", after that 2 services were created.
The service "GUEST_COR MAC Authentication" does mac-address authentication for devices, the service "GUEST_COR User Authentication with MAC Caching" does user authentication.
If authentication is successful, the service "GUEST_COR User Authentication with MAC Caching" allows wifi access and stores "Guest-User-Name" and "MAC-Auth Expiry" in the endpoint. This data can be checked during the next mac-address authentication. If the "Guest-User-Name" is enabled and not expired and "MAC-Auth Expiry" is not reached yet, the access will be enabled immediately, the user will not be redirected to the captive portal.
ClearPass creates endpoints automatically with each authentication attempt. If a device has never logged in via the ClearPass server, there is no endpoint with its MAC address.
The "GUEST_COR MAC Authentication" wants to check if the guest user is enabled and not expired and if "MAC-Auth Expiry" is already reached. But the endpoint with the mac-address does not exist yet. ClearPass cannot execute the SQL statement and cannot read the attributes AccountExpired and AccountEnabled. The Policy Server reports this with the error message (marked red).
The RADIUS server reports that it has not found the user in the endpoints repository - because the endpoint with the MAC address does not exist yet (marked purple). Because of these 2 messages the alarm tab is displayed in the access tracker. But these errors are not the reason for the reject. In the "Error Message" you see that "Access denied by policy" is (marked green). The enforcement policy forbids the access in this constellation.
You have not posted a role mapping policy, but the wizard creates the following mapping.
AccountExpired and AccountEnabled do not exist, so the tips role [MAC Caching] is not set (marked red).
The "Guest Role ID" does not exist, therefore the tips roles [Contractor], [Guest] and [Employee] cannot be set either (marked purple). None of the 4 conditions match, therefore the role mapping policy sets the default role [Other].
In the enforcement policy there are 2 conditions. The first condition checks if the tips roles [MAC Caching] and [Guest] and [User Authenticated] are set. But they are not (marked red).
The second condition checks if the tips roles [Guest] or [Contractor] or [Employee] are set. But they are not (marked purple).
It does not match any condition, but the enforcement policy uses the default profile [Deny Access Profile] (marked green).
The mac-address authentication has also not failed, although the endpoint with the mac-address does not exist yet.
Your service uses [Allow All MAC AUTH] (marked green) as Authentication Methods and authenticates against the [Endpoints Repository] (marked green). Basically anonymous mac-address authentication is performed, regardless of whether the mac-address exists or not the authentication is always successful.
This is the ware reason for the reject.
The question now is how to set everything up so that it works.
The wizard must have created the profile "GUEST_COR Captive Portal Profile". Depending on what you have selected in the wizard, Aruba user role or filter ID or untagged VLAN is configured there. Remove all attributes there and put in the following:
More details are in this Cisco article:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217931-configure-9800-wlc-and-aruba-clearpass.htmlIn der der redirect url muss du noch den pagename von der landing page ersetzen, wie z.B. /guest/xxxxxxx.php.
Now you have to edit the "GUEST_COR MAC Authentication Enforcement Policy", namely set the enforcement profile "GUEST_COR Captive Portal Profile" as default profile.
If no condition matched, this profile is now used. No reject but an accept with redirection to captive portal is used. At the same time, an ALC is enabled on the WLC so that not autenticated guests can only reach the ClearPass server.
You write that some devices do not need to see the portal. In this case you can create a guest device for these devices. If you set "Account Role" to [Guest], you don't have to adjust anything in rolemapping and enforcement. You just have to add the [Guest Device Repository] as an authorization source in the "GUEST_COR MAC Authentication" service.
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------
Original Message:
Sent: Jan 23, 2023 05:30 PM
From: athan
Subject: Mobile Guest SSID not conexion
Hi @Lord
I want to thoroughly comprehend all you say regarding Enforcement Proficiency and Wizzard because Clear Pass is a system that I am incredibly unfamiliar with.
This guy's setup is comparable to that of my client:
https://www.youtube.com/watch?v=cgL40TtIK4Y
I don't know why some computers and mobile devices can access but most of them don't need to see the portal.
It was effective in the past.
I believe the setting is OK, but there is one area where I keep getting errors, possibly related to the clear pass new mobile policy.
Tell me what you need to know to be able to identify the potential problem. some specific test ??
Original Message:
Sent: Jan 23, 2023 12:32 PM
From: lord
Subject: Mobile Guest SSID not conexion
Hi @athan,
I just see that you are using a Cisco WLC, is it correct?
If so you can't use the enforcement profile, I see that you used the wizard. The wizard builds everything for an Aruba controller and use Aruba VSA "Aruba-User-Role". Your Cisco WLC doesn't understand this stuff - except for the reject :) You have to build the enforcement profile manually.
See here, there was already a discussion about guest WLAN with ClearPass and Cisco WLC.
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=44230#
The Youtube video also looks good, https://www.youtube.com/watch?v=cItKxgIjbRY
Do you have access to Arubapedia for Partners?
Here you can download a ClearPass backup. restore in the lab. In the config are many examples, among others also for Cisco guest wlan with clearpass.
https://afp.arubanetworks.com/afp/index.php/Archive:ClearPass_Canned_POC_Kit
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 23, 2023 11:55 AM
From: athan
Subject: Mobile Guest SSID not conexion
Hi @Lord
I appreciate your explanation.
I'm trying to figure out how it was possible for a new user to connect with the person who has the preauthentification role.
There is a WLC is the destination of a redirect.The issue is that people cannot access the protal .
Original Message:
Sent: Jan 23, 2023 07:45 AM
From: lord
Subject: Mobile Guest SSID not conexion
Hi athan,
the output from the access tracker means that there is no endpoint for the phone yet. It is normal and always happens when a device connects to your guest wifi for the first time.
The SQL statement uses as WHERE condition an attribute from the endpoint. But the endpoint does not exist yet. The SQL statement does not return attributes for AccountEnable and AccountExpired. The policy server logs it as alarm.
The Radius server does not find the user in the endpoint repository and also reports it as an alarm.
The MAC-Auth failed, the ClearPass Server sends a reject to the controller. The user is connected to the WLAN and remains in the preauthenticated role. In this role there must be a captive portal profile and the user must be redirected to the ClearPass landing page.
The question is whether the user gets the ClearPass landing page displayed?
------------------------------
Regards,
Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion
Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.
