I can tell you it works, I've had it setup for awhile, but I can't easily explain how to set it all up. I couldn't find any comprehensive guide either, so I had to piece it all together. I believe I used the wizard to create a service for 'Guest access with MAC caching' then customized it from there.
Here's the basic workflow:
- MAC Auth service
- Authentication set to 'Allow All MAC Auth'
- Role mappings based on Guest Role ID (from clearpass guest) for traditional guest/contractor/employee, but then I also setup different roles for different captive portals, and map those roles based on AP Name, SSID, etc.
- Enforcement. If the MAC auth maps to the MAC Caching role (built by the wizard), then send back an Accept along with a guest profile, this will send back to the Cisco WLC the username of the guest, for example.If the guest was MAC cached previously, authentication is done.
- Now, If is NOT a MAC cache client, here's where we have to redirect. So my next enforcement profiles are matching my different roles to dofferent CoA Redirects. I have different ones for different captive portals. This is where you use Radius, Cisco-AVPair with url-redirect and url-redirect-acl. The ACL must already exist on the WLCs and provide access to the CP server via HTTPS and DNS servers at a minimum. DHCP is assumed I believe.
- Client gets redirected to CP guest, your guest page needs to be setup for Cisco, and I have the Guest page setup for server-initiated CoA. I'm pretty sure I had this setup for controller-initiated in the beginning, but changed it to CoA to better match up with the Aruba suggested configs.
- WebAuth Service.
- Now that the client is at the Guest page, when they login (or just click 'accept') Clearpass guest hit's the WebAuth service.
- The enforcement here sends back the MAC Caching profile/expiration date, then a CoA for Radius:Cisco:Cisco-AVPair subscriber:command=reauthenticate. This is what forces the user to re-authenticate, they now hit the MAC Auth service again, but this time are MAC cached, and authenticated with access-allow.
That was a long answer to your question I think. TL;DR: in the second phase, I send a CoA to force the user to re-auth. They then hit the MAC Auth service again, this time already cached, and are then given the access-accept. So really it makes it 3 steps, 1. MAC Auth (URL redirect), 2. WebAuth (CoA Reauth), 3. MAC Auth, cached (accept)
This solution actually works really well, just complicated to setup. It's nice because there is a ton of flexibility doing all the url-redirects from CPPM, we have multiple captive portals that can be chosen dynamically based on attributes. It's actually a little easier to do this with Cisco even than it is with Aruba in my experience (we are migrating from Cisco to Aruba WLCs and IAPs)