Security

Reply
Highlighted
Contributor I

Clearpass - How to return a CP guest username when using MAC caching

I am using Clearpass 6.2 and Aruba Instant for captive portal wirless guest authentication.

 

The MAC caching feature of Clearpass Authentication works fantasitcally, and ensures our guests enjoy uninterrupted wireless access from any other sites, until their clearpass guest login expires. If anyone is using Clearpass without the MAC caching feature and experiencing problems with sessions timing out, or guests users being troubled by excess captive portal reautnetication, I would strongly recommend trying it.

 

One niggle we have with MAC caching is that authenticated users soon appear in the Instant virtual controller as MAC addresses, rather than their original Clearpass guest user name (e-mail address) - because after the intial captive portal login, subsequent RADIUS authentications are just by MAC address.

 

ap.png

as you can see in the bottom 3 users.

The same is true in Clearpass Insight. Bandwidth usage is logged against these mac addresses, not their username.

 

Now, of course, Clearpass Policy Manager is clever enough to match these cached mac addresses to the original username and assign attributes such as username, sponsor, role, etc. And if I look up a MAC address in CPM access tracker, or the endpoint list, I can quickly see the user's e-mail address and other mapped attributes from CP Guest.

 

I'm not an expert with RADIUS, but I'm aware some of these details can be passed back to the controller as part of the RADIUS output. I'm wondering whether it is possible to return the e-mail address username and have Instant, and CP Insight show this instead of the MAC address.

 

cp.png

I've had a go at making an enforcement policy to return the username to a varierty of RADIUS attributes.

 

output.png

and in access tracker this appears to be returning values correctly. However, it is having no effect in CP Insight or on the Aruba Instant controller.

 

Does anyone know if this is possible?

 

 

 

Highlighted
Aruba

Re: Clearpass - How to return a CP guest username when using MAC caching

Yes this is possible with the latest ClearPass revision.  I have only done this with controller based deployments, but I think it should also work with Instant.   I've done it with the following Enforcement Profile configuration:

 

cp-sponsorname.jpg

------------------------------------------------
Systems Engineer, Northeast USA
AMFX | ACCX | ACDX | ACMX

Highlighted
Contributor I

Re: Clearpass - How to return a CP guest username when using MAC caching

Thanks clembo

 

As you can see from my last 2 screenshots. I'm already successfully returning a value to "Radius:IETF:User-name" in my RADIUS output - and that part is working.

 

The problem I have is that in Aruba Instant, and CP Insight, this is still appearing as the MAC address. I'm wondering if there is a different attribute I could use - or a different technique - to achieve this.

Highlighted
Moderator

Re: Clearpass - How to return a CP guest username when using MAC caching

jharb,

 

What version of Instant code are you running?

 



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Contributor I

Re: Clearpass - How to return a CP guest username when using MAC caching

6.2.1.0-3.4.0.1_39461

Highlighted
Frequent Contributor II

Re: Clearpass - How to return a CP guest username when using MAC caching

Would you happen to know the syntax of returning a value that is listed as an attribute under the endpoint ?
Highlighted
Moderator

Re: Clearpass - How to return a CP guest username when using MAC caching

Here's an example of returning the username attached to endpoint record back to the controller:

 

%{Endpoint:Username}

 

You should be able to substitute Username for any of the attributes.

 

endpoint-variable.PNG



If this response is more than 1 year old, it may no longer be accurate. Please consult official Aruba documentation, TAC or your Aruba SE.

| Aruba Alumni | @timcappalli | timcappalli.me |

Highlighted
Trusted Contributor I

Re: Clearpass - How to return a CP guest username when using MAC caching

I'm experiencing the same issue on a controller running 6.1.3.7.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Highlighted
Guru Elite

Re: Clearpass - How to return a CP guest username when using MAC caching


@thecompnerd wrote:

I'm experiencing the same issue on a controller running 6.1.3.7.


It requires ArubaOS 6.2 and above...

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Remote Access Point Solution Guide
ArubaOS Consolidated Release Notes
ArubaOS 8 ViA VPN Solution Guide
Highlighted

Re: Clearpass - How to return a CP guest username when using MAC caching

I have tried this with a controller and it works fine, but not so with the Instants.

 

I see the username being returned in the Radius-accept, but on the instant, it still shows the mac.

 

Instant AP225 - 6.3.1.1-4.0.0.1

 

CPPM - 6.2.0


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: