We are in the process of migrating our Wireless network devices from Cisco ACS to ClearPass. Part of that includes introducing security for devices tied to PSK for the Wireless access. The SSID on the Cisco WLC's uses MAC Filtering and we have configured Static Host Lists to successfully implement a solution.
I am trying however to assist the migration team with devices that can not be added to one of the Static Host Lists prior to visiting the device to update its WiFi Settings.
To do that I have created a custom "Web Page" in ClearPass that dumps the "Extra Fields" showing the devices MAC address, which is then displayed as a captive portal by entering the URL on the WLC Layer 3 security settings "On MAC Filtering Failure" option.
This works perfectly for the SSID that terminates internally on our primary WLC.
However, we have reproduced this for the SSID that terminates on an Anchor controller in our DMZ (used primarily for devices that need internet access), but the MAC address does not appear in the extra fields!
Is there a way to display the devices MAC address in a captive portal presented from ClearPass to devices that have been Anchored to a Foreign Cisco Wireless LAN Controller?
I assume that the MAC address is available to ClearPass because we have two other SSIDs that are Anchored in the same way which have devices remembered by MAC address, the obvious one is Guest Access, but I also have a custom Web Login for first time BYOD users so they have to access the T&C's, which again the information is stored against the MAC address.
Anchoring:
AP--tunnel-->Primary WLC--tunnel-->Anchor WLC--->FW--->Internet
The Wireless LAN Settings on both the primary and anchor WLCs are identical, down to the WLAN ID with the exception of the "Mobility Anchor" and other setting which forces all traffic over to the Anchor.
SSID Settings:
Name: PSKPerimeter
L2 Security = WPA/WPA2 PSK with MAC Filtering
L3 Security = Web Policy with "On MAC Filter failure"
Preauth ACL = Yes (same on both controllers)
Over-ride Global Web Auth Config = true
Web Auth Type = External
URL = https://ClearPassFQDN/guest/MacDisplay.php?mac=%{Connection:Client-Mac-Address-Colon}&
(FYI: I have tried a few different Clearpass variables without any luck, for example %{Radius:IETF:Calling-Station-Id}).
AAA Servers = ClearPass for both Authentication and Accounting
Allow AAA Override = true
Outside of SSID the DHCP is set to use the Anchor Controllers DHCP server.
Web Pag Captive Portal:
Blank "Web Page" created under Guest/Configuration/Pages/Web Pages"
HTML = as default with the following line added:
"{dump var=$extra_fields export=html}"
(FYI, this works perfectly on the SSID that is not Anchored)
Service:
Type = MAC Authentication
Authentication = [Allow All MAC AUTH]
Roles = blank
Enforcement = Authentication:Source EQUALS (name of Authentication Source for Static Host List)
Default Profile = [Deny Access Profile]
When a device connects to the WiFi with the correct SSID/PSK but is not in the Static Host List [Deny Access Profile] is correctly applied.
On the device itself the Captive Portal pops up as expected.
On the Anchor Controller the extra fields show correctly for:
?swithc_url
wlan
redirect
essid
mac shows as literally "%{Connection:Client-Mac-Address-Colon}&"
On the SSID that is not anchored you get:
mac = with the client mac
?switch url
ap_mac
client_mac = again correct
redirect
essid
Reason:
Project is reducing SSIDs. Environment has devices that will need to use PSK unfortunatly, 802.1x is used where it can be but not appropriate for all. The Captive Portal is design to help the migration team quickly get the MAC address so it can be added to the static host list, there are not too many but enough to try and find a way to help out.
Does anyone know of a different way to display the MAC address? Is there an alternative to dumping the extra_fields? Or a way to grab it through a "web login" or "self-registration" instead?
Thanks