Security

Hi:

I'm trying to get wired captive portal guest access working with a Cisco switch.

I realize this needs two services. The initial mac-auth service is working fine... returning the redirect-url and redirect-url-acl to the switch.

But I'm having problems with the captive portal.

We are browsing to http://<clearpassIP>/guest/ciscowiredguest.php?mac=11:22:33:44:55:66, and that brings up the login form.

But when I enter a known guest account and click submit, Access Tracker shows a REJECT. The message is: "Failed to classify request to service" The autentication attempt comes in with just the user name - no other info.

I have an active service of type "Web-based Authentication" and the rule is:

Host - Checktype - MATCHES_ANY - Authentication.

Is there some other rule I need to make this work?

Is there a special configuration needed for the captive portal login page?

Am I correct in understanding that the switch is not involved in this part of the transaction (until it succeeds, of course, at which point it gets a CoA Terminate session)?

Thanks.

I've tried several different options...

right now it's set to:

Vendor Settings: Cisco Systems

Login method: Server Initiated - Change of Authorization (RFC 3576) sent to controller.

What should it be set to?

Yes.

Here's a screenshot of how it's configured.

Thanks for all your help.

I found the Webauth service problems: I had inadvertantly selected a Pre-Auth-Check parameter in the guest login page.

Once I set that to "None-no extra checks will be made," the webauth service is being hit successfully.

Thank you.

Do you have any writeup that you can share? Looking at doing the same and don't want to reinvent the wheel.

TIA.

---

@cappalli wrote:
There will be a full wired solution guide available in the next two weeks.

---

Any updates on this :) ?

Available now!

http://community.arubanetworks.com/t5/Security/ClearPass-Solutions-Guide-Wired-Policy-Enforcement/td-p/298161