Security

NOTE: This solution has been superceded.  Please refer to here for a simpler and more recent solution.

 

Thank you.

Great article mate, I was just discussing this requirement with a customer the other day!

Wow! First day of the contest,you must have been sitting waiting to pull the trigger on your tutorial.

 

Really great document.

Can't seem to download the PDF...

 

Thanks!

Michael

I am attempting an iteration of this where I have added an onsite sponsor using sponsors email address. My issue is the logic used in the Guest MAC Auth enforcement policy. I'm very new to Clearpass but do understand conditions rules methodology.

 

Extract from the PDF file

The first condition tests Tips:Role as equal to demo-Unsponsored and it also equals demo-sponsored and it doesn't equal demo-expired.

Surely it can never equal two different values so this test will never be true.

 

Conditions 2, 3 and 4 also have additional tests that would be superfluous.

 

Did you mean to test Tips:Role for each of these.

 

In your policy conditions:

Condition 1: Non-Expired, Sponsored & Unknown Device – first MAC Authentication after sponsorship.
Note: Originally the role evaluation was set to ‘Evaluate-all’, but now set to ‘First-applicable’ so this rule
will probably never be hit, but has been left in.
• Update Endpoint Known and change attribute in Endpoint DB, RoleID=5
• Send Aruba-User-Role=demo-sponsored.
• Send session-timeout= %{Authorization:demo MAC-Guest-Check:MAC-Expires}
• Username = %{Endpoint:Username}

 

Condition 2: Non-Expired, sponsored & Unknown device – Guest account that has been
sponsored by a different device. This is not likely with a short Preauth session, but for longer
sessions, this may be relevant. Basically, the account is validated with a different device on a
different network (requires Clearpass is accessible, typically over internet). The original device
connects, but it is still Unknown. Alternatively, this is the first mac-auth after sponsorship.
• Update Endpoint Known and change attribute in Endpoint DB, RoleID=5
• Send Aruba-User-Role=demo-sponsored.
• Send session-timeout= demo sponsored session timeout (4 hours)
• Username = %{Endpoint:Username}

 

The tests seem to be for the same thing. Surely you would need to find something that would be different between the two that could be tested for that would make one test true and the other false.

 

Are my assumptions correct and con someone suggest alternative tests.

 

Thanks in advance guys

Wayne

Condition 1 can probably be removed as I said. The solution changed over time, but I just left that rule in.

 

Condition 2 will be hit if the account logs in with an unknown device.  Basically registers with one device, but then confirms the email with a different device.  Since the act of confirming the email, does not trigger a CoA, this will also be hit for the first mac-auth after sponsorship.

Thank you for replying Michael.

 

My questioning this setup wasn't what it was achieving but how it was achieving it. I couldn't grasp how testing the Tips:roles to see if it equals demo-Unsponsored and also equal demo-sponsored would work. When Tips:roles equals demo-sponsored then it can't equal demo-Unsponsored so this test can never have a true answer.

Surely when using the AND statement you need to be testing different fields.

 

My thoughts would be that the correct test for 2, 3 and 4 would be:

 

 2.          (Tips:Role EQUALS demo-Sponsored)

     AND (Authorization:[Endpoints Repository]:Staus EQUALS UnKnown)

 

3.           (Tips:Role EQUALS demo-Sponsored)

     AND (Authorization:[Endpoints Repository]:Staus EQUALS Known)

 

4.           (Tips:Role EQUALS demo-PreAuth)

 

Would this have be a correct assumption.

 

At the moment I don't know the Wireless and Clearpass technologies that well so strugle to understand the sequences. The other thing I am trying to come to terms with are the databases. How many are there? I suspected 3 reading your design (Insight, Local SQL and demo MAC-Guest check [Generic SQL]) but later comments about endpoint database etc mean I am now unsure how many databases are in use. The other thing I think I might have picked up now is how some of these databases get updated (E.G. Enforcement Profiles) But I don't think that covers them all.

 

Any helpfull comments greatfully accepted.

 

Wayne

 

If this is a duplicate I apologize...

Mr. Clarke...

We have been using this configuration for the past several months with apparent success.  Thanks again for taking the time to do this.  I have found a small glitch that we came across and I have not been able to solve as yet and maybe you might be able to shed some light.

The issue I have come across is that during the Preauth state and BEFORE the Sponsored state, the session timeout is set to 10 minutes, however, after the 10 minute period, it appears that the MAC-Guest-Check:MAC-Expires reaches 0 or a negative number, the session timeout value is set to a very large number which in essence never expires the session. (see attached).  Any insight would be helpful to address this would be appreciated as I have tried several avenues unsuccessful with my limited ClearPass knowledge.

 

Much appreciated

M

Hi,

 

As I mentioned, the solution may have some flaws.  Thank you for spotting this.

 

I couldn't open the attachment.  can you reattach please.

As requested... I have saved it in pdf format.

 

I recognise that there may be issues as stated in the document, but overall it still works.  Its just a matter of resolving the preauth timeout so users dont have unlimited access before sponsoring themselves.

 

 

Thanks...M

 

 

Hi all,

i'm trying to do this LAB with a CPPM vers 6.4 : but it doesn't works..

During the configuration, i've fount that i can not set into the "role override" of Sponsorship Confirmation, the value "demo-Sponsored": the only value that i can choose are [Guest], [Employee], [Contractor] and (prompt).

What can i do? Have you got some suggestions to troubleshoot and solve this problem?

 

Thanks in advance,

 

Nicola

 

 

 

Did you define your guest roles in the [Guest Roles] role map?

I have since upgrade my lab to 6.4 and see the same issue.

 

As Tim said, just define those roles into [Guest Roles] and they will then be available.

Thank you mr. Cappalli and mr. Clarke, you are right!
Now, i go ahead with troubleshooting: now i'm investigating why as soon as i click "click here"'s link, even  if i have presented the receipt, i have no changes both in controllers and in ClearPass: user keep the same role demo-preauth. I've no MAC auth after captive portal auth..
thank you guys for the support.

Nicola

Hello there

 

Nice document to start ;)

 

We are no running CP 6.5 and noticing the following where the Attributes are no longer present for the for the following 2 profiles only. Any thougts or knowledge on this?

“Session Restriction Enformcement” profiles

- Update Endpoint Unknown

- demo Addtional Device Sponsored Guest MAC Caching.

 

Thanks

Ken

---

@Michael_Clarke wrote:

Hi,

 

As I mentioned, the solution may have some flaws.  Thank you for spotting this.

 

I couldn't open the attachment.  can you reattach please.

---

 

Hi all

 

Is this still considered the best method for doing this or do we have any alternative method? I want to do this but also allow the option to validate with their facebook/twitter/linkedin account.

llo

 

Under this section

 

Update demo Guest MAC Authentication Service

 

I cannot see Last Seen in my view... Running cppm 6.5.0.175 a total clean install. Is there a possible to get the select query from this part listed from anyone of you guys who have it? :) Awesome guide btw. Saves lots and lots of time

Where in the document is the part where you add the "demo MAC-Guest-Check" Authorization source? Page 21 says that we need to make an edit to it, but it was never created in the first place. Knowing the parameters for creating this Authorization source would be helpful in finishing this method.

 

Also, why is the "demo Sponsored Guest Do Expire" Session Restrictions Enforcement profile defined as "Delete and logout (4)" on page 12, but then on page 15 it tells us to create the same Enforcement profile with the same name, but change the parameters to "Disable and logout (2)". Which is it? A little clarification on this would be appreciated.

 

Thank you!

Hi all

 

I've set all this up for a customer but I'm finding that we are using up endpoint licenses quickly, probably due to the allow all on the MAC auth. Any ideas how I can mitigate this?

 

 

Hi,

a first step to preserve licenses could be using MAC CACHING, for users that connect more days consecutive..

Than, the best way to keep license number low, is to avoid users to connect... this is the hateful truth..

 

N

 

Its an open guest network so we can't stop connections. MAC Caching is set up already.

davey_m,

 

Have you tried to limit the number of maximum connections? Adjusting this value might help a bit.

 

In the Aruba Controller AP Configuration > AP Group name > Wireless LAN > Virtual AP > SSID > SSID Profile > Advanced tab and scroll down to Max Associations.

 

I know you're looking for something that will limit the total number of associated MACs for your guest SSID, so this might help. I'm not 100% clear whether or not it's a global value or if it will only affect the APs directly (meaning, if the max association is 65 PER AP for a particular SSID, this may only affect total guest capacity per AP instead of the entire SSID), but maybe modifying your guest DHCP pool to only allow for the total number of licenses you have available might help more. Just spitballing.

Does anyone have the original PDF? The other "easier" version is missing a few things. I would like to review the original and compare both...

 

What is it that is missing?  The original version is very dated and broken now.

Just having a hell of a time to get this designed using a Cisco WLC with CWA.
I can't seem to get it to hit the mac cache service.

Same type of mechanie, guest enters email, receives it, clicks link and extends session to x amount of hours.

I just wanted to see the initial setup of the services. I have the initial web redirect working, user receives email and is allowed on the internet but the rest of it needs work. MAC cache, etc...

I see.  Let me test that here with my cisco controller and get back to you.  I won't be until after Xmas though. ;-)

yes please!

You may have this already enabled but just in case : 

Thanks Victor but we are using server-initiated "CWA" like auth so no web policy configured on the WLC. I am sending the redirect ACL and redirect url from CPPM to the WLC. This works great.

 

Initial MAC authentication works, users is put into proper CPPM role, etc. portal loads, enter email, receive sponsorship email

 

Initial access tracker output shows

1. MAC auth service
2. web auth service
3. goes back to mac auth service instead of the mac caching one...

 

I will continue to work on it...off for the holidays but crunch time for me is 2nd week of January so ill see then.

 

Anyway, Michael_Clarke, if you have something working for self-sponsoring using email and Cisco, would love to see how it was done...

 

thanks again all

 

 

 

 

Sorry don’t understand the workflow ...let me see if I understand.
Unknown or expired Mac caching connects and hits the Mac auth service (Mac auth failure)> then redirected and performs web auth and hits the web auth service (Mac caching is added to endpoint db ) then if the device reauth it should hit the same Mac auth service but different policy rule and using time source it determines if the device is allowed to the network if Mac caching hasn’t expired .

Why another Mac caching service ?

Get Outlook for iOS

Going to try and spin this up today out of curiosity.  Was intending to do over the holidays, but the festive season got the better of me. ;-)

 

Pasquale, can you send a screenshot of what you're returning in the initial mac-auth with the redirect please?  I tried here but it is not working for me.  My WLC is on an older version that I can't upgrade, which may have something to do with it.

 

Thanks

 

Back in the office tomorrow, the holidays were "tough" on the body here...back in full force tomorrow.

using version 8.3 for the WLC

Here is what I have (l am still playing with things so its a bit everywhere)

Yes, that is what I have here, but my redirect is not working.

My WLC is on 7.0.220.0 so maybe those AVPairs are not supported on that version.

I can send you the firmware for 8.3 if you want ??

I am not using a vWLC though...I was initially but found a 2504 lying around.

Unfortunately my ap is an 1142N model and won't upgrade beyond the version I am on.

I believe I managed to this to work, well at least 90% of it.

I will post more details when I get a chance....

Last step to figure out is after my "12 hour" session, I need to get redirected back to the portal (need to figure out some role mappings).

I'm curious to see how you've setup the cisco.  Are you using a conditional web redirect?  Any chance of some screenshots of the cisco?

Most definitely once I get the time to actually put something together, my intention was to write up a complete guide and post it on the forums as this has been a challenge but also fun.
Now, obviously there are other ways to get it done but this is how I got it to work with the help of a Clearpass SE.

one of my last pieces is when a user receives the email to sponsor themselves, there is a hyperlink to click here which redirects them to the sponsoring page.

1. Can this page simply not be displayed and instead when they click the link, it sponsors them and redirects them to a website.

2. if the sponsoring page is required, when clicking on confirm, it simply stays there and says the account is confirmed, is there any way to force the page to redirect to a particular website?

3. How can I edit this sponsoring page as currently it is the default one?

this is the last piece of the puzzle...i think anyway

---

@Michael_Clarkewrote:

Unfortunately my ap is an 1142N model and won't upgrade beyond the version I am on.

---

Hi Mike, just remember you mentioned this.

I am using an 1142N and I am on 8.3

 

I will PM you how to access my WLC so you can take a look how it is configured.

 

Update on the final product.

I managed to get something to work. Cisco CWA + WPA2+PSK is not nice...the controller must send a dissaociation request so the endpoint needs to re-establish the 4-way handshake....If this was Aruba, role change, you're good.

 

I'll keep everyone posted.