Security

Does anyone have an end to end guide on how to set up ClearPass guest captive portal with Meraki Wireless?  I have set up a guest SSID within Meraki wireless and configured as a splash page with custom splash page. When the client connects to the SSID the captive portal page from clearpass loads up.  The user tries to self register, and the guest account gets created in ClearPass.  When the user tries to login, the browser is just getting directed to a Meraki 'page not found' page.  

 

Within Meraki the RADIUS transaction for the guest captive portal comes from the Meraki Cloud not the AP IPs.  

 

I dont seem to have the correct NAS vendor setting for the Meraki Cloud in order to POST the user credentials to the controller.   The RADIUS request never gets to ClearPass from the controller.  

 

Has anyone had a successful implementation with Meraki?

 

Thanks

 

 

You need to use the "Cisco Identity Services Engine (ISE) Authentication" option with a ClearPass MAC auth and WEBAUTH service. The MAC auth service should return back a captive portal URL using a Cisco AV-Pair and the WEBAUTH service should issue a Disconnect after succesful authentication.

Thanks Tim!  We finally got it going!

OK we thought we had it going, if I set the pre-auth check on the registration page to RADIUS, I get a RADIUS request come into ClearPass.  Even if we send an Accept Message and CoA, the client never gets connected to the network.  

 

Is there a setting I need to implement in order to get the request to come in as a WebAuth instead of RADIUS?

 

Thanks Again

In the vendor settings, select Cisco and Server-Initiated.

Hi Tim, 

 

Thanks again for all the great info, we have this set up and essentially working at this point.  However the end user experience is not very clean.  Since we are issueing a COA after the webauth, the browser is essentially still finishing the login process (please wait while you are logged into the network).  The browser throws an error since we are sending the COA while its loading.  The re-auth (MAC auth) then takes place and the user is connected.  From the end user perspective, it looks like they are not connected since the browser errors and just hangs there.  

 

Do you have any thoughts on how to clean up that process to the end user?

 

Thanks

 

You should be using a Disconnect, not a CoA. In the web login configuration, you can increase the login delay to accommodate for the network change.

The only two types of Enforcement profiles that you can select with the Webauth Service is Post Authentication or CoA.  

 

Here is what we are currently sending 

 

Is there a different type of disconnect we should be sending?

 

Thanks

 

Use this Disconnect template > https://github.com/aruba/clearpass-radius-dynamic-authorization-templates

When I try to import that template, i get an error that Vendor ID 29671 is not a valid vendor ID.  Is that supposed to be the Vendor ID for Meraki?

 

Are you running ClearPass 6.7 or higher?

Yes we are running 6.7.9 and I think we finally got it working with the re-authenticate session, audit session ID and increasing the login delay time on the captive portal page.

 

Thanks for all your great assistance!

Did you get it working with windows 10 laptops as well?

 

I got it working on smartphones using the reauthentication command and audit-session-id as well. But a laptop just remains connected. 

 

I tried the disconnect as well. Using the Acct-Session-Id and timestamp but nothing seems to work. The laptop just won't disconnect.

Did you find anything to help you start to setup the services?  I need to only allow employees on a SSID for Meraki but don't know how to start.  Do you guys use 802.1X Wireless?  or something else?  We are not doing a captive portal, just using their domain credentials at this time.  Is there anything I can look at about setting up wireless with meraki or something other than Aruba access points?