Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass + WLC + Eduroam + AUP/Captive Portal

This thread has been viewed 8 times

  • 1.  Clearpass + WLC + Eduroam + AUP/Captive Portal

    Posted Oct 10, 2017 03:32 PM

    Hi all,

     

    I've already emailed my local SE, but figured I'd post here to see if any airheads have any quick ideas;

     

    My client wants their students to accept their AUP on a yearly basis. My original thought was over an open Guest SSID and use an endpoint attribute flag when the agreement has been accepted and when it needs to be re-accepted. Easy.

     
    Then they mentioned that they were looking to do this all over EDUROAM. Now, I’m new to EDUROAM but quickly found that it is essentially 802.1X authentication over its own federated RADIUS servers, etc. Students can visit other institutions that are not their primary institution and log into the EDUROAM SSID using the credentials of their home institution.
     
    This kind of threw a wrench into the idea due to 802.1X, and authentication happening at L2. The only potential idea I had would be to use a conditional web redirect on the WLC, redirecting the client to the AUP page if they haven’t accepted, or allowing them through if they have. Some of you probably know conditional web redirects are common when doing single-SSID onboarding (auth type = PEAP -> send to onboarding page), and works with 802.1X SSIDs as well.
     
    I'm curious if layering a conditional web redirect onto the EDUROAM SSID would be a workable solution or if this would cause issues with EDUROAM. I've read that some institutions use EDUROAM as their primary secure wireless network and so some advanced policy capability has to be possible within the EDUROAM framework. Unfortunately I am new EDUROAM, and don't have the resources in which to test this at the moment.
     
    Any thoughts/suggestions are welcome. Thanks.
    Tim Friesen
    ACMP, ACCP, CWNA/DP/SP/AP


  • 2.  RE: Clearpass + WLC + Eduroam + AUP/Captive Portal
    Best Answer

    EMPLOYEE
    Posted Oct 10, 2017 08:35 PM

    This is a fairly common scenario. You'd just add a rule to the service handling the eduroam local users (the university) that checks the endpoint for a timestamp to see if the current date is greater than it. Then put the user into a captive portal role, have them accept the terms, stamp a new now + 1 year timestamp to the endpoint.

     

    What vendor is the WLC?



  • 3.  RE: Clearpass + WLC + Eduroam + AUP/Captive Portal

    Posted Oct 11, 2017 03:12 PM

    That's pretty much exactly what I thought.

     

    Vendor on the WLC is Cisco.

     

    Thanks for the confirmation Tim!



  • 4.  RE: Clearpass + WLC + Eduroam + AUP/Captive Portal

    Posted Oct 12, 2017 10:32 AM

    One additional comment... Eduroam has some restrictions on what they want you doing with visiting users, so if you do start integrating captive portals and redirects, etc, make sure to only do it to *your* users.

     

     



  • 5.  RE: Clearpass + WLC + Eduroam + AUP/Captive Portal

    Posted Oct 12, 2017 04:10 PM

    Thanks Bogenbroom.

     

    I sort of gathered that based on Tim's reply, but that's good to know definitively.