Security

I've been having a tough time getting all the bugs worked out of a CPPM/Cisco WLC CoA setup. I had 'controller-initiated' redirect working, but wanted to change to 'server-initiated' to get the redirect from CPPM for more flexibility. I finally have it pretty much working, except for one hiccup i'm having with the auth sequence. 

I have the MAC caching service working, when a client is unknown it sends the redirect URL to CPPM guest, where i have a simple click-through page that authenticates the user as an anonymous guest. The weirdness comes after this, after the webauth sends a CoA to reauthenticate or bounce the user, the MAC cache service is failing to map the role as MAC Cache, and performs another CoA URL redirect. The client gets redirected a second time to the guest portal. Now, if I click through the portal a second time, nothing else changes, THEN the MAC cache service applies the correct role and allows the connection. Or, if I have profiling enabled on the service, it performs the first auth, does a CoA bounce, and performs the second auth correctly again with the user still sitting at the redirect portal. I just can't figure out why the first service hit after the webauth isn't matching the rules and allowing the connection. I have put a 10sec delay in the login page hoping that would help in case it didn't have enough time to update the endpoint records, but no change. Any ideas? 

On a somewhat related note, after the webauth, why isn't the client redirected back to their original URL? Now i have it setup to redirect to the canned 'you are now connected' page, but I'd like them to redirect to their original destination. I've found the technote for this but it only applies to Aruba WLCs, not Cisco apparently. 

Thanks. 

Did you check the endpoint and ensure that it was stamped with a MAC Auth Expiry and Guest Role ID?

So that is the issue, however I can't figure out why. The Webauth

service stamps the endpoint details, as seen in the output, then bounces the user. Immediately after that the user re-auths, but the details are not visible. After performing a second, identical webauth (or just bouncing the port again), the endpoint details DO show. 

Did you add [Time Source] as an additional authorization source?

Yes, Time Source is in the MAC Auth service, but not in the Webauth service (no authorizations there)

You need it in both since you're using the variable to stamp the endpoint.

Ok I see that helped a little, but same issue. The 'MAC auth expiry' now shows a correct date/time (rather than the variable name), but it had no impact on the auth issue. First re-auth still missing the endpoint details, second re-auth has them and completes as expected. I also ensured that the Webauth service has Endpoints and Guest User authorization sources as well just in case. 

Did you configure the CoA delay in ClearPass?

Also, what was the reason for switching to server-initiated?

CoA delay under 'server properties' is at default, 2sec. I saw reference somewhere to changing that to 0, but no explaination why? 

I changed to server-initiated to mirror the setup necessary for Wired Guest (CoA redirect from Cisco wired switches), as well as being able to control the redirect-url dynamically rather than statically set on the WLC SSID. Unfortunately there isn't a complete set of documentation for doing server-initiated CoA with a Cisco WLC, i've only found bits and pieces of information on the community. 

Another issue i'm just noticing is that in my auth sequence, the guest user is never falling through to the 'Guest User Auth' service. It's just hitting the MAC Auth service twice, and authenticating as a MAC auth. Looks like the issue is that the WLC is sending RADIUS:IETF:User-Name as the MAC address every time, so it always matches the MAC Auth rule. The User Auth rule is looking for MACAddress NOT EQUALS RAIDUS:User-Name. I just tried adding an attribute to the web-auth rule to send username back to the WLC, but it's not helping. On the services, instead of watching for RADIUS:User-Name, should i change it to Endpoint:Username or something? 

This might relate to something else i've seen, discussion on sending a username back to an Aruba WLC from CPPM, but again, doesn't seem that Cisco supports that? 

It's very difficult to troubleshoot this via a forum. Have you reached out to your Aruba ClearPass partner? 

Understood, was just hoping it was something that's been seen before. This is a POC/Demo setup that I initially configured along with an Aruba SE. In the next month we will be getting our 'Production' system setup with a partner, I just wanted to get a few more things tested on the demo system before we start the final configs. I'll keep messing with it, but ultimately this might need a TAC call it looks like to figure out the Cisco>CPPM expected behavior with this piece.

In regards to that CoA delay, did you have a recommended setting? Should it be set to zero for a perticular reason? 

Update, worked with TAC on this. Upping the CoA delay from 2 to 5 seems to have fixed the base issue. The re-auth now comes through with the correct attributes and completes the login.

The second part of my question is why doesn't it fall through to the 'Guest User' auth after the MAC Cache fail/webauth, and the answer to that seems to be that when using 'server-initiated' and CoA, everything is handled unther the MAC Auth service. So I would need to move all my enforcements from the 'User Auth' service up to the 'MAC Auth' service, and it should be good. I'll test that out next.