Security

Has anyone got clearpass Guest self registration to work with a cisco switch?  I have a cisco 3850 switch doing MAC auth, 802.1x Auth and even device registration with COA just fine.   I can not figure out how to get it to do guest account creation with automatic login.

 

I got it setup so the user gets a downloadable ACL that re-directs them to clearpass self registration page.  They can create the account just fine..but I get stuck on the next step.   In aruba land clearpass causes the client to login to the controller with the new credentials.  This does not seem to be a option in cisco land.  The other option seems to be just have clearpass send a coa.  Which doesn't really help me because they just get the same downloadable ACL that lets them create an account.  Could create a link on that page that also allows them to login.  But I am wondering if there is a way to either

 

A> Have the cisco switch automatically log them in

 

or

 

B>  upon account creation have clearpass update the endpoint in some way.  That way the next mac off can check the update and see that it needs to be presented the login menu.

Is your guest self-registration page configured for Cisco in the NAD settings?

Make sure you are using a server initiated login and give the page 25 - 30 seconds

The NAD needs to be set to Cisco as a Vendor

You need a web auth service and a Mac auth


Sent from Outlook for iPhone

ok, I forgot about webauth on the switch.  I still don't see how it will work.

 

To do the captive portal with a downloadable acl you need to send back an access accept.  If you do that webauth will not kick in because mac auth worked.  I have mac auth and 802.1x working.  So mac auth gets an accept with the downloadable acl and 802.1x works in the background and either succeeds or times out.  I don't see how  you are gonna get webauth out of the way long enough to do the captive portal and create the guest account and then get it back in for the auth.  That is what the user initiated re-auth does.  But if all you have is controller initiated COA as an option you would have to start webauth first, wait for it to time out.  Then  do mac auth with re-direct, create the account and then start webauth again with a coa.    Unless cisco can support client initiated and I am juts missing it?

Here's how it works:

 

Client connects > switch sends MAC-auth > ClearPass sends back a captive portal URL and ACL name

 

Client is redirected, authenticates to CP Guest portal > CPG triggers a CoA to the switch > client is disconnected > authentication starts again > client passes MAC-auth

Tim,

 

  I got it and thanks.  That is exactly how I got it working for self registration.  Works great.

 

But I am trying to add self "guest account creation" and guest login into the mix.   For those two you need the switch to be able to support "client initiated webauth".  So I guess that is my real question...

 

Does anyone know if the 3850 or any cisco switch wil support "client initiated" webauth?

I'm not really sure what you're asking. All of these things are part of guest self-registration workflow and work with server-initiated.

The switch doesn't need to support it .

The important is that the switch is able to allow the redirect , CoA and Mac auth to happen

When using server initiated the request goes through ClearPass not the switch.





Sent from Outlook for iPhone

Tim,

 

  I don't see how account creation and login works with server initiated.  Lets take your flow from ealier and modify it for Self account creation and login.

---------------------------------------------------------------------------------------------------------------------------------------------------

Client connects > switch sends MAC-auth > ClearPass sends back a captive portal URL and ACL name

 

Client is redirected, creates guest account via CP Guest portal > CPG triggers a CoA to the switch > client is disconnected > Mac auth happens again and they end up at the same portal

------------------------------------------------------------------------------------------------------------------------------------------------

You see, since we did not register them there is nothing to trigger a different mac auth option.   So lets add add a "login" link on the same portal.

 

Now they can login with the created account, the login gets authenticated in clearpass but there are two issues.  SInce no endpoint  did the webauth, clearpass can not distingush the request.  Since no endpoint did the webauth clearpass can not pass back a dfferent vlan or acl.  You need some endpoint to do the webauth.  How it woks on the wireless side is this.

 

----------------------------------------------------------------------------------------------------------------------------------------------------

Client connects > switch sends MAC-auth > ClearPass sends back a captive portal URL and ACL name

 

Client is redirected, creates account on CP Guest portal > CPG triggers client to webauth with controller > controler does webauth and  is handed a new role from clearpass.

 

 

You can have a redirect url point them at the login page and they can login.  But the request does not come from a

The self-registration workflow has two components: the registratioin itself, and the weblogin. I'm failing to understand how these scenariors differ in your environment.

 

If you're a NEW device without an active account, you get redirected to the captive portal. Here you can either register for a new account or login with an existing account.

 

- If you register for a new account, you go through the registration process, then click login which does a local authentication check then proceeeds to issue a CoA to the switch.

 

- If you click login, you enter your credentials, click login, a local authentication check is performed and then a CoA is issued to the switch.

 

If you need assistance getting this set up, please reach out to your Aruba partner.

 

Tim,

We are going in circles now. Have you ever set it up,on a cisco
switch, and got it to work? I have it setup on a cisco switch..and it
does not seem to work.

The issue is this line

- If you register for a new account, you go through the registration
process, then click login which does a local authentication check then
proceeds to issue a CoA to the switch.


Since all you did was create a new account, you did not change how the
mac auth process will respond. After the COA, the mac auth will still
put it in the captive portal like it did the first time. The only way to
change this response is to register the device or force a webauth
instead of a mac auth. So you need webauth working on the switch, but
not just webauth but client initiated webauth.

Yes, I have. Many times. That's why I'm trying to help you :)

 

You add the appropriate MAC-caching attributes to the RADIUS/WebAuth service handling the user login. This then gets added to the endpoint database so that after the CoA, the device is authenticated and dropped into the correct access role.

 

 

Tim,

If you do this...

You add the appropriate MAC-caching attributes to the RADIUS/WebAuth
service handling the user login. This then gets added to the endpoint
database so that after the CoA, the device is authenticated and dropped
into the correct access role.


Then you really did not login the user so much as register him. So
what happens next time he comes online? Do you somehow pull the
attributes back out before then or is he just always "registered" at
that point?

It behaves like every other guest deployment. You could say that when the guest user account is created, they are registered, yes.

The MAC-auth comes in, you verify the guest account hasn’t expired and isn’t disabled and then let the user on. If the account is expired or disabled, you drop them back into the captive portal state.