Security

Afternoon chaps

Is there a simple way to bypass Web Auth on Captive Portal on ClearPass.

I have an issue with certain iPhone users and a VPN application on a phone, they can't get onto the network becasue they cant access the portal.

 

Can we push them into a different role using their MAC for authentication?

 

Thanks

Can we push them into a different role using their MAC for authentication?
Yes you can

Hi,

 

Instead of web auth service use mac auth service to acheive MAC authentication.

 

Regards,

Pavan

Please explain your desired workflow. How would we get their MAC address if they're not going through a registration process?

Hi Tim

 

Workflow is as follows:

1. Device connects to existing SSID gets IP address.

2. Device gets put into new role based on User Defined Rule already configured based on MAC address.

3. New role has firewall policy 'allow all' assigned

4. Device access internet.

 

I have configured the UDR but the device is staying in the pre-auth role which forwards it to the captive portal. I guess I'm slightly confused with how the flow should be.Thanks

You shouldn’t use UDRs if you’re using ClearPass. Use the Device Registration portal in ClearPass for any MAC address overrides (Guest Device Registration).

Oh OK, I was going by some previuos posts.

I'll try the ClearPass config and let you know.

I take it the Guest Device Portal you mean in the Guest Module - 'Create Device', which I've done and assigned it a Role.

However the device is still trying to do Web Auth according to the Access Tracker and only the once. I've also added the mac to the existing mac auth service, but still cant get it to bypass.

Ignore the WebAuth. It's only generated on initial device registration. Do you have MAC authentication enabled and the ClearPass server group defined in your AAA profile?

Yes thats all in there, but the initial problem is that the iPhone is attempting to put that traffic into its VPN and tunnel it.

 

Sorry, I'm not following. MAC authentication is between the controller/AP and the RADIUS server. There is no client involvement.

I'm not following either :-)

So are you saying the clients/devices MAC address isn't involved in MAC Authentication. What about all the MAC addresses in the End Point Repository on ClearPass?

 

You think its best if I raise a case with TAC?

Hi,

 

If you have two services web and mac auth serivce and dont want client to redirect to captive portal page and want just mac authentiation.

Try disable web auth serivce and check if it is hitting mac auth service.

 

Note: We need to map end point respository in authentication source or if device mac not listed in endpoint need to manually upload the MAC details and map to source.

 

If still have queries, please open TAC ticket.

 

Regards,

Pavan