Security

I need some help setting up MAC Caching in Clearpass for our Captive Portal authenticated SSID that is used to provide BYOD access for our Students.

I am using our Active Directory as the Authentication Source rather that the TIPS Guest user database.

I have managed to get everything to work but the authentication for the cached MAC address.
It looks to me like an Authorization problem rather that an Authentication problem as the MAC address is found and authenticated but there is no value found for the endpoint username.

It looks like the WEB_Login MAC-GUEST-Check is either not being properly updated or referenced. The Request Detail shows an alert #206. “Failed to get value for attributes=[UserName].

When I examine the MAC-GUEST-CHECK Authorization source there is a filter to set the UserName. The query for the filter is

SELECT user_id as guest_device_user FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard') AND (enabled = 't') AND ((expire_time is null) OR (expire_time > CURRENT_TIMESTAMP)))

I Think I need to edit this filter query so that it looks in the Active Directory as opposed to tips_guest_users but I am not sure how to structure the filter.

Are you writing the AD username to the endpoint database after successful AD authentication in your web login service?

Your best bet is to use the built in service templates to create the services and then just modify the authentication sources.

Hi Tim,

I did use the built in service templates to create the services. I the added my AD authentication sources but for the time being left the default local source in place as well for testing. Using an Guest account from the local Guest database everything works perfectly. The initial Web login for the AD accounts work but the authentications against the cached MAC address faills.

It looks like the AD username is being written to the endpoint database after successful AD authentication. I see the correct username both as an attribute and in the policy cache when I look at the endpoint.

My feeling is that the filter query in my original post needs to be edited somehow.

Cheers,

I created the following filter on my AD authentication source:

This looks up the Username stored in the Endpoint database against the sAMAccountName field in AD and records the memberof attribute (the groups it belongs to) in to a new attribute called endpoint-memberof. You can then use this to write group matching rules on the MAC authentication service.

However, as Tim said, you need to make sure the Username is added to the Endpoint database.

Thanks,

This has pointed me in the right direction.

I did the following and so far it seems to be working.

SELECT Username as guest_device_user FROM auth WHERE ((Status = 'USER') AND (Username = '%{Endpoint:Username}'))

Sorry to bump, but I am trying to do the exact same thing but don't understand how to do ... What is your "auth" table in your filter ?

EDIT : Used dg27's solution and it worked. Thanks.