Security

Hello,

 

We are using ClearPass Guest and Aruba Instant.

We want to be able to provide a same captive portal for different type of people :

 

- Some who have an account in the Active Directory

- Some who don't have an account in the Active Directory and who must be authenticated using the sponsoring method

 

Here's what we did :

 

- We first joined CPPM in the AD and created it as a source of authentication.

- We then created services using the template 'Guest MAC Authentication' because we would like to implement MAC auth for these two types of people.

- We added the AD as an authentication source on the 'Guest Access With MAC Caching' Service.

 

When we test the login using a valid AD account on the portal, it works. But when we disconnect from the network and then reconnect to it, we are successfully accessing the Internet without getting redirected to the portal.

When we take a look at the access tracker, the user doesn't seem to go through any service at all. There is only a REJECT on the MAC Auth Profile.

 

Is that normal ?

How is it supposed to work ? Are the user credentials cached for a specific time ? If yes, where is it configured ? 

 

I don't think we will have any problem to get the sponsoring method to work because we already set this up multiple times, but this is the first time we are working with Active Directory authentication and we don't really know the normal behaviour.

 

Thanks in advance.

 

- nice2k.

 

 

You must remove the user from the user table in the access point to force a reauth.

Oh okay. Do you know aproximatively how much time the user stay in the user table when disconnected ?

 

And how can I make my MAC Authentication profile work with AD ? Do I have to only add the AD as a source in the service ? 

 

Thanks a lot.

One of the wireless guys will have to answer the user table.

I believe you can go into the cli and typ aaa user delete all and it will force all users to reauth or aaa user delete Mac (device MAC address)

And to answer you last question no. It uses the endpoint database so you don't add any other auth source.

Ok, That's clearer for me now. Thanks again.

Well, I have re-tested all this and one thing doesn't work :

 

I logged in on the captive portal using my AD account, and then disconnect from the network.

I waited for my account to not be displayed anymore on client in the Instant Interface (figured out this was the "inactivity timeout" parameter on the SSID configuration)

 

And when I try to reconnect, I am redirected again to the captive portal even though I didn't delete my endpoint from the database. 

 

From the access tracker, I am rejected by the MAC AUTH Service with this error : "Failed to get value for attributes=[UserName]"

 

Any help ?

I think I understand your question.  Hopefully my answer below will help.

 

There are 2 timers: one is on the controller (as you found out) and one in the CPPM. You can speed up the timeout on the controller with "Blacklist client".  Turn off wireless on your device, blacklist on controller, delete the blacklist then turn wireless back on.  This will cause your device to be 'new' to the AP.

 

You can adjust the MAC cache time period in your service on CPPM.  Look for Authorization: [Insight Repository]: Days-Since-Auth under conditions.  It might have minutes or hours instead of days for the default.  It checks to see how long since the last time your device has authenticated (through CP).  If valid, it matches and allows access.  If it has been too long, it will fail and you will go to the next service which is the CP.

 

Hopefully this helps.

Pdavis,

 

Thank you for your answer for my "timer" problem. It's OK now.

 

As for my problem with caching the MAC Address of the AD users, I used dg27's solution on this topic :

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/ClearPass-MAC-Caching-using-ActiveDirectory-as-the/m-p/164590/highlight/true#M12407

 

I created a new filter on my AD source to get the groups the user is member of, added the source to the Authorization list on my service, and created a rule on the enforcement profile to only allow members of a certain groupe in AD to connect.