Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Bounce switch port after wired captive portal login

This thread has been viewed 7 times

  • 1.  Bounce switch port after wired captive portal login

    Posted Oct 07, 2019 01:10 PM

    We have configured a Captive Portal to be used for Wired Guest access with MAC Caching. When a new device (a device with no entry in the Endpoint Repository) connects to the network they are presented with the captive portal and clicking on the Connect button proceeds to the login page with a countdown of 30 seconds. During this time the switch port is bounced and after the countdown the guest is directed to the original page they requested. From this point on the guest is using MAC authentication which is valid until midnight. This is working well.

     

    If the same guest returns the next day and plugs into the network they once again get the captive portal. This time when they click on the Connect button and get the login page, the switch port is not bounced and MAC authentication does not happen. At this point the guest receives the captive portal again (and again, and again). A manual bounce of the switch port or a disconnect and reconnect of the guest device does get the correct role and can use the network services.

     

    Does anyone have any ideas or recommendations for solving the switch bounce problem. We are using CPPM v6.8.2 and Aruba 2930M switches using  WC.16.08 software.



  • 2.  RE: Bounce switch port after wired captive portal login

    Posted Oct 07, 2019 04:52 PM

    You sould be able to find some insight into the event by looking at the CPPM Access Tracker page for the login event and see what roles and enforcement policies are applying.

    It can be confusing to work through what CPPM is 'thinking' but that's where the answer will be.



  • 3.  RE: Bounce switch port after wired captive portal login

    Posted Oct 07, 2019 06:36 PM

    Hi Matthew,

     

    Thank you for the reply. In both cases (bounced and no bounce) Access Tracker states the [ArubaOS Switching - Bounce Switch Port] is included in the Enforcement Profiles and 'Radius:Hewlett-Packard-Enterprise:HPE-Port-Bounce-Host 12' is listed in the Output.

     

    However you may have pointed me in the right direction. On the successful logins when the bounce does not work there is an alert related to an SQL statement with the attributes for MAC caching.

     

    Thank you.



  • 4.  RE: Bounce switch port after wired captive portal login

    Posted Oct 07, 2019 06:17 PM
    Did you enabled CoA?

    radius-server host key
    radius-server host dyn-authorization
    radius-server host time-window plus-or-minus-time-window
    radius-server host time-window 30 or 0

    Sent from Mail for Windows 10


  • 5.  RE: Bounce switch port after wired captive portal login

    Posted Oct 07, 2019 07:21 PM

    Hi Victor,

     

    I went back to verify those switch options and they are configured as you noted (time window = 30).

     



  • 6.  RE: Bounce switch port after wired captive portal login

    EMPLOYEE
    Posted Oct 10, 2019 03:56 AM

    Check the service it hits and see if this results in ClearPass sending the desired Enforcement Profile. If not, check the attributes to understand why.

    If you are sending the Disconnect and it is not triggered there is list of possibilities and would be best to figure it out with TAC.

    Any reason you are using server initiated login for guest?