Security

Hi,

 

Checking to see if anyone else has seen this type of issues with Cisco WLC & Clearpass guest:

 

I have setup an open guest wlan on a Cisco WLC with Layer2 mac-filtering , Layer3 Web Policy/"On Mac failure" pointing to external ClearPass captive portal.  

I used the templates to create the 2 services,

-one with mac authentication accept if exists, reject if doesn't exist

-WLC receives reject and sends user to Clearpass portal page to accept terms.

-CPM radius reject delay is set to 0

 

-The first time a user connects, the clearpass portal appears

-user accepts terms,

-instead of gaining access the Cisco internal web auth page appears.(no attributes set on endpoint)

-user refreshes the browser, the Clearpass screen appears.

-user accepts terms and gains access (attributes are set on endpoint)

 

This can easily be reproduced. I've opened a Cisco TAC but waiting to work on it with them.

 

Thanks,

Jeanne

Can you please share the error message if any ?

Which attributes are you trying to use ?

The templates set 2 attributes:

Guest Role ID

Username(which, in this case is the same for all guest because just accepting a policy)

 

There isn't an error, other than the reject when the user is connecting the first time and mac address isn't cached already.

 

To do a retest, we just clear the 2 attributes and can reproduce the problem.

 

thanks

Jeanne

What Version WLC?

You need to consider doing it with Central WEB auth. (Like ISE). I hated doing to with the on-Mac-failure.