Security

Reply
Highlighted
Contributor II

Captive Portal Bypass - ClearPass

Afternoon chaps

Is there a simple way to bypass Web Auth on Captive Portal on ClearPass.

I have an issue with certain iPhone users and a VPN application on a phone, they can't get onto the network becasue they cant access the portal.

 

Can we push them into a different role using their MAC for authentication?

 

Thanks


Accepted Solutions
Highlighted
MVP Expert

Re: Captive Portal Bypass - ClearPass

Hi,

 

If you have two services web and mac auth serivce and dont want client to redirect to captive portal page and want just mac authentiation.

Try disable web auth serivce and check if it is hitting mac auth service.

 

Note: We need to map end point respository in authentication source or if device mac not listed in endpoint need to manually upload the MAC details and map to source.

 

If still have queries, please open TAC ticket.

 

Regards,

Pavan


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post


All Replies
Highlighted
MVP Expert

Re: Captive Portal Bypass - ClearPass

Can we push them into a different role using their MAC for authentication?
Yes you can
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
MVP Expert

Re: Captive Portal Bypass - ClearPass

Hi,

 

Instead of web auth service use mac auth service to acheive MAC authentication.

 

Regards,

Pavan


Pavan Arshewar | ACCP

If my post address your queries, give kudos and accept as solution!
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Moderator

Re: Captive Portal Bypass - ClearPass

Please explain your desired workflow. How would we get their MAC address if they're not going through a registration process?



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: Captive Portal Bypass - ClearPass

Hi Tim

 

Workflow is as follows:

1. Device connects to existing SSID gets IP address.

2. Device gets put into new role based on User Defined Rule already configured based on MAC address.

3. New role has firewall policy 'allow all' assigned

4. Device access internet.

 

I have configured the UDR but the device is staying in the pre-auth role which forwards it to the captive portal. I guess I'm slightly confused with how the flow should be.Thanks

Highlighted
Moderator

Re: Captive Portal Bypass - ClearPass

You shouldn’t use UDRs if you’re using ClearPass. Use the Device Registration portal in ClearPass for any MAC address overrides (Guest Device Registration).


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: Captive Portal Bypass - ClearPass

Oh OK, I was going by some previuos posts.

I'll try the ClearPass config and let you know.

Highlighted
Contributor II

Re: Captive Portal Bypass - ClearPass

I take it the Guest Device Portal you mean in the Guest Module - 'Create Device', which I've done and assigned it a Role.

However the device is still trying to do Web Auth according to the Access Tracker and only the once. I've also added the mac to the existing mac auth service, but still cant get it to bypass.

Highlighted
Moderator

Re: Captive Portal Bypass - ClearPass

Ignore the WebAuth. It's only generated on initial device registration. Do you have MAC authentication enabled and the ClearPass server group defined in your AAA profile?


If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor II

Re: Captive Portal Bypass - ClearPass

Yes thats all in there, but the initial problem is that the iPhone is attempting to put that traffic into its VPN and tunnel it.

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: