This seems to be an example of MACtrac. See more info here
The device registration role sends a captive portal redirect for the user to the registration page, which has the Galleria Skin to make it look different, then device is registered (indeed looks like a modified page that does not allow changes in any of the fields, the MAC address is populated from the redirect). I don't have info how Jason did this.
After registration, a CoA is sent to trigger a re-authentication and the MAC Authentication service, based on the Guest Device database, returns the BYOD role. In the MAC Auth service, check if the device exists (and is enabled/has right attributes) in the Guest Device Database and return BYOD policy or Registration Role otherwise.
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/
for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Sent: May 24, 2022 02:44 AM
From: Jack Garnell
Subject: Youtube Content Creator Using ClearPass Guest or Onboard or Both?
Deeply appreciate if you guys could reverse engineer what is being done in this video:
Aruba ClearPass Onboarding using Device Registration - YouTube
This is exactly what we require in our environment but unfortunately the content creator (Jason Atkins) had disabled comments & I have no info on how I can further reach out to him for this implementation.
From what I comprehend:
1) RADIUS Service created (School_Secure) = Doesn't seem that it's created using the Guest Authentication with MAC Caching Service Template, as demonstrated by Herman (Aruba ClearPass Workshop (2021) - Guest Access #1 Aruba Instant Wireless Guest (getting started) - YouTube)
a) Jason probably created the School_Secure RADIUS service manually with the following set:
i) Authentication Method = EAP PEAP (because there is not device / user cert used for EAP-TLS)
ii) Authentication Source = AD
iii) Authorization? = Additional authorization sources from which to fetch role-mapping attribute = ?
iv) Roles = Authorization:AD:memberOf Contains Students (my guess) with [Device Registration] role assigned
v) Enforcement = Tips:Role EQUALS [Device Registration] with School_Secure - DeviceRego Enforcement Profile assigned (Probably VLAN assignment only?)
2) User attempts to browse to Internet & is instead thrown into Captive Portal = where do I set this? & how can I configure it to accept AD credentials instead of the default "Your Name" & "E-mail Address" fields in the Guest Self-Registration page? Is this somehow using Onboard instead?
3) The School WiFi Register BYOD Device page seems to be using a modified version of the Guest Operator Logins:
i) Service = Application Name EQUALS Guest....not sure if there's anything else required
ii) Authentication Sources = AD only?
iii) Roles = Authorization:AD:memberOf Contains Students (my guess) with another [Device Registration] role assigned?
iv) Enforcement = Tips:Role EQUALS [Device Registration] with Student_device_Rego Enforcement Profile assigned (Probably VLAN assignment again?)
4) Once successfully registered, Webauth bounce port service is triggered (I'm wondering what are the conditions set for this?)
5) Once bounced, the client seems to hit the same RADIUS service (School_Secure) but this time using a different Enforcement Profile (School_Secure - StudentBYOD instead of School_Secure - DeviceRego)? Is this even possible? & how should I configure it?
Thanks everyone! :)