Security

I am using Clearpass 6.2 and Aruba Instant for captive portal wirless guest authentication.

The MAC caching feature of Clearpass Authentication works fantasitcally, and ensures our guests enjoy uninterrupted wireless access from any other sites, until their clearpass guest login expires. If anyone is using Clearpass without the MAC caching feature and experiencing problems with sessions timing out, or guests users being troubled by excess captive portal reautnetication, I would strongly recommend trying it.

One niggle we have with MAC caching is that authenticated users soon appear in the Instant virtual controller as MAC addresses, rather than their original Clearpass guest user name (e-mail address) - because after the intial captive portal login, subsequent RADIUS authentications are just by MAC address.

as you can see in the bottom 3 users.

The same is true in Clearpass Insight. Bandwidth usage is logged against these mac addresses, not their username.

Now, of course, Clearpass Policy Manager is clever enough to match these cached mac addresses to the original username and assign attributes such as username, sponsor, role, etc. And if I look up a MAC address in CPM access tracker, or the endpoint list, I can quickly see the user's e-mail address and other mapped attributes from CP Guest.

I'm not an expert with RADIUS, but I'm aware some of these details can be passed back to the controller as part of the RADIUS output. I'm wondering whether it is possible to return the e-mail address username and have Instant, and CP Insight show this instead of the MAC address.

I've had a go at making an enforcement policy to return the username to a varierty of RADIUS attributes.

and in access tracker this appears to be returning values correctly. However, it is having no effect in CP Insight or on the Aruba Instant controller.

Does anyone know if this is possible?

Yes this is possible with the latest ClearPass revision.  I have only done this with controller based deployments, but I think it should also work with Instant.   I've done it with the following Enforcement Profile configuration:

Thanks clembo

As you can see from my last 2 screenshots. I'm already successfully returning a value to "Radius:IETF:User-name" in my RADIUS output - and that part is working.

The problem I have is that in Aruba Instant, and CP Insight, this is still appearing as the MAC address. I'm wondering if there is a different attribute I could use - or a different technique - to achieve this.

jharb,

What version of Instant code are you running?

6.2.1.0-3.4.0.1_39461

Here's an example of returning the username attached to endpoint record back to the controller:

%{Endpoint:Username}

You should be able to substitute Username for any of the attributes.

I'm experiencing the same issue on a controller running 6.1.3.7.

---

@thecompnerd wrote:

I'm experiencing the same issue on a controller running 6.1.3.7.

---

It requires ArubaOS 6.2 and above...

I have tried this with a controller and it works fine, but not so with the Instants.

I see the username being returned in the Radius-accept, but on the instant, it still shows the mac.

Instant AP225 - 6.3.1.1-4.0.0.1

CPPM - 6.2.0