Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

2 x Guest SSIDs, 1 with MAC caching, 1 without

This thread has been viewed 0 times

  • 1.  2 x Guest SSIDs, 1 with MAC caching, 1 without

    Posted Sep 08, 2014 11:35 AM

    Hi All,

     

    2 x guest services on ClearPass,1 with MAC caching enabled and 1 without

     

    Lets say the SSIDs are called:

    guest-cache

    guest-nocache

     

    We'll be assuming that the guest services are created using the default settings here..

     

    If a visitor user associate and sucessfully logs into the guest-nocache SSID then disconnects and associates to the guest-cache SSID will they MAC auth sucessfully?


    Looks like the "Guest Expire Post Login" and "Guest Do Expire" enforcement policies take care of this but I'm just looking for clarification.

     

    Cheers

    J



  • 2.  RE: 2 x Guest SSIDs, 1 with MAC caching, 1 without

    Posted Sep 08, 2014 12:34 PM
    I think it will redirected since is not doing Mac Auth in the no cache service


  • 3.  RE: 2 x Guest SSIDs, 1 with MAC caching, 1 without

    EMPLOYEE
    Posted Sep 08, 2014 01:12 PM

    Easiest thing to do would be to disable MAC-auth on your no-cache SSID on the controller.



  • 4.  RE: 2 x Guest SSIDs, 1 with MAC caching, 1 without

    Posted Sep 09, 2014 04:13 AM

    Hmm.

     

    Let me explain again.

     

    Client "Tom" associates to the no-cache SSID, redirects to the captive portal and sucessfully authenticates. Tom's device MAC address is registered in the Endpoints repository.

     

    Tom, being a bit nosey or perhaps by mistake, connects to another SSID which happens to be the MAC caching one. The controller send his device MAC address, ClearPass MAC caching service matches the request and checks the Endpoint repository and find his device MAC address. The enforcement policy send the RADIUS accept back to the controller and Tom has gained access to the network.

     

    What mechanism stops this from occurring?

     



  • 5.  RE: 2 x Guest SSIDs, 1 with MAC caching, 1 without

    EMPLOYEE
    Posted Sep 09, 2014 04:31 AM
    I would add a role tag to users connecting and look for that attribute when they connect.

    SSID 1 guest logins ins and gets guest role ID of guest-a

    SSID 2 role ID of guest-b

    and that way when they try to connect to the other SSID they have to have that guest role.


  • 6.  RE: 2 x Guest SSIDs, 1 with MAC caching, 1 without

    Posted Sep 09, 2014 04:55 AM

    If you don't change anything from the wizard created services then yes - it will authenticate. Reason being UPDATE ENDPOINT KNOWN and GUEST MAC CACHING policies.

     

    That said - you can have the SSID's on two different systems and it will still accept the mac-caching. Basically the service checks your role, that the mac-address is in the Endpoint database, that it's known, that it has a username attribute, and that this user is still valid.

     

    To work around this I guess using the Role could be a way to go. Different guest roles depending on the SSID.

     

    Another way might be adding the CONNECTION:SSID as an attribute to the UPDATE ENDPOINT KNOWN policy and test on this during mac caching.