Security

So I have a school that wants to enforce personal device registration on the same SSID they will MAC auth to after the device is known.

 

I configured a service in ClearPass for BYOD MAC Authentication that assigns them a BYOD role if device is known, or if not the default enforcement is "Device Registration". 

 

On the controller Device-Registration role has captive portal assigned that directs the user to clearpass guest operator login to add their device, and once they reconnect, it should mac auth them again and put them in BYOD role. 

 

Is this possible? I'm having trouble getting the captive portal redirect to work. It's also not working on my guest SSID, so I think it's something else, but just wanted to verify this would work.

 

Thanks!

Yes, this is a common solution. I would recommend against using "Known" as that attribute can be updated by multiple sources. Are you looking at using the MACTrac feature? Also, for the captive portal functionality, do you have an IP address in each VLAN on the controller?

Yes, we are attempting to use the Device Registration operator role for students/staff to login with their AD credentials and register their own devices before the devices have access to the internet. 

 

The VLAN that the user is on has an IP address on the controller. The MAC auth succeeds because I am using the default profile if the device does not exist, the user connects to wireless, but when they launch browser the captive portal page just keeps spinning and never loads.

Correction, that VLAN does NOT have an IP address on the controller, but the Guest VLAN does. Both are not loading the captive portal. Guest is just captive portal with open SSID.

You need an IP on every VLAN that you want a captive portal to run.

 

You'll want to create an enforcement rule that checks for "Authentication:Source EQUALS [Guest Device Repository]" and "GuestUser:Sponsor EXISTS".

 

 

I made the changes for the role-mapping, but I'm still not sure why my captive portal won't load. We have an Ip address on the VLAN on the controller. We can manually browse to clearpass and clearpass guest, but it's not redirecting us automatically. We do not have a DNS entry for clearpass, but were pointing to https://10.1.2.184/guest/guest_registration.php and we also don't have a valid certificate installed yet, but that should still show us the cert error page. Any ideas?

 

I also verified that no proxy configuration was present in the browser.

Can you run "show rights <captive-portal-role?>"

They have a firewall between the VLAN3/4 and the controller, but http and https access is permitted between VLAN1 (controller and clearpass are on) and VLAN3/4.

Can you include the full output of show rights IC-Guest-Logon?    It does not appear that you have a Captive Portal profile set for that role.   Also, do you allow http/https to your ClearPass box (10.1.2.184) before your captive-portal redirects?

 

 

We resolved the issue. I did apply the captive portal profile to the role, but I may have never saved it because it was not set when I went back in. I also needed to re-order my firewall rules to allow for the captive portal and http/https to clearpass. 

 

Finally on VLAN4 we needed to add an IP address to the interface. 

 

Thanks for the help!