Security

You need to use the "Cisco Identity Services Engine (ISE) Authentication" option with a ClearPass MAC auth and WEBAUTH service. The MAC auth service should return back a captive portal URL using a Cisco AV-Pair and the WEBAUTH service should issue a Disconnect after succesful authentication.

Thanks Tim!  We finally got it going!

OK we thought we had it going, if I set the pre-auth check on the registration page to RADIUS, I get a RADIUS request come into ClearPass.  Even if we send an Accept Message and CoA, the client never gets connected to the network.  

Is there a setting I need to implement in order to get the request to come in as a WebAuth instead of RADIUS?

Thanks Again

Hi Tim, 

Thanks again for all the great info, we have this set up and essentially working at this point.  However the end user experience is not very clean.  Since we are issueing a COA after the webauth, the browser is essentially still finishing the login process (please wait while you are logged into the network).  The browser throws an error since we are sending the COA while its loading.  The re-auth (MAC auth) then takes place and the user is connected.  From the end user perspective, it looks like they are not connected since the browser errors and just hangs there.  

Do you have any thoughts on how to clean up that process to the end user?

Thanks

The only two types of Enforcement profiles that you can select with the Webauth Service is Post Authentication or CoA.  

Here is what we are currently sending 

Is there a different type of disconnect we should be sending?

Thanks

Use this Disconnect template > https://github.com/aruba/clearpass-radius-dynamic-authorization-templates

When I try to import that template, i get an error that Vendor ID 29671 is not a valid vendor ID.  Is that supposed to be the Vendor ID for Meraki?