Security

Reply
Occasional Contributor II

ClearPass Guest with Meraki Wireless

Does anyone have an end to end guide on how to set up ClearPass guest captive portal with Meraki Wireless?  I have set up a guest SSID within Meraki wireless and configured as a splash page with custom splash page. When the client connects to the SSID the captive portal page from clearpass loads up.  The user tries to self register, and the guest account gets created in ClearPass.  When the user tries to login, the browser is just getting directed to a Meraki 'page not found' page.  

 

Within Meraki the RADIUS transaction for the guest captive portal comes from the Meraki Cloud not the AP IPs.  

 

I dont seem to have the correct NAS vendor setting for the Meraki Cloud in order to POST the user credentials to the controller.   The RADIUS request never gets to ClearPass from the controller.  

 

Has anyone had a successful implementation with Meraki?

 

Thanks

 

 

Guru Elite

Re: ClearPass Guest with Meraki Wireless

You need to use the "Cisco Identity Services Engine (ISE) Authentication" option with a ClearPass MAC auth and WEBAUTH service. The MAC auth service should return back a captive portal URL using a Cisco AV-Pair and the WEBAUTH service should issue a Disconnect after succesful authentication.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: ClearPass Guest with Meraki Wireless

Thanks Tim!  We finally got it going!

Highlighted
Occasional Contributor II

Re: ClearPass Guest with Meraki Wireless

OK we thought we had it going, if I set the pre-auth check on the registration page to RADIUS, I get a RADIUS request come into ClearPass.  Even if we send an Accept Message and CoA, the client never gets connected to the network.  

 

Is there a setting I need to implement in order to get the request to come in as a WebAuth instead of RADIUS?

 

Thanks Again

Guru Elite

Re: ClearPass Guest with Meraki Wireless

In the vendor settings, select Cisco and Server-Initiated.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: ClearPass Guest with Meraki Wireless

Hi Tim, 

 

Thanks again for all the great info, we have this set up and essentially working at this point.  However the end user experience is not very clean.  Since we are issueing a COA after the webauth, the browser is essentially still finishing the login process (please wait while you are logged into the network).  The browser throws an error since we are sending the COA while its loading.  The re-auth (MAC auth) then takes place and the user is connected.  From the end user perspective, it looks like they are not connected since the browser errors and just hangs there.  

 

Do you have any thoughts on how to clean up that process to the end user?

 

Thanks

 

Guru Elite

Re: ClearPass Guest with Meraki Wireless

You should be using a Disconnect, not a CoA. In the web login configuration, you can increase the login delay to accommodate for the network change.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: ClearPass Guest with Meraki Wireless

The only two types of Enforcement profiles that you can select with the Webauth Service is Post Authentication or CoA.  

 

Here is what we are currently sending 

 

Screen Shot 2019-02-11 at 1.45.19 PM.png

Is there a different type of disconnect we should be sending?

 

Thanks

 

Guru Elite

Re: ClearPass Guest with Meraki Wireless

Use this Disconnect template > https://github.com/aruba/clearpass-radius-dynamic-authorization-templates


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: ClearPass Guest with Meraki Wireless

When I try to import that template, i get an error that Vendor ID 29671 is not a valid vendor ID.  Is that supposed to be the Vendor ID for Meraki?

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: