Security

Reply
Highlighted
Occasional Contributor II

Clearpass and Cisco WLC Guest MAC Auth not working

I've been playing around for a while and have read many boards on both Aruba's sites and Cisco's site and i've tried many different variations of configurations but can't seem to get my mac auth working on my cisco controllers.  Guest login with a username/password works fine.  Just when i disconnect, delete my user and then reconnect, i get captive portaled again, its not doing a MAC auth. 

 

On the Cisco WLC side, we have a foreign and anchor controller set up for our guest ssid's.  The configurations for the SSID's and other configurations have been matched on both controllers.  

 

On my Cisco controller, i have MAC filtering enabled on the L2 tab. I have On MAC Filter Failure enabled on the L3 tab.  Under Security-->MAC filtering,  Radius compatibility mode has been set to Cisco ACS and MAC Delimiter is set to Colon.  Under the Radius-->Authentication tab i have the Auth Called Station ID Type set to System MAC Address and MAC Delimiter set to Colon. 

 

On clearpass, i have the Reject Delay to 0.  My policy is configured as followed.  Very basic, nothing crazy.  

 

Matches  ANY or  ALL of the following conditions:
 TypeNameOperatorValue  
1.ConnectionClient-Mac-AddressEQUALS%{Radius:IETF:User-Name}
2.Radius:AirespaceAirespace-Wlan-IdEQUALS22
3.Click to add...  

 

Authentication:
Authentication Methods:
[MAC AUTH]
Authentication Sources:
1. [Endpoints Repository] [Local SQL DB]
Strip Username Rules:
-
 
 
Authorization:
Authorization Details:
1. [Time Source] [Local SQL DB]
2. [Guest User Repository] [Local SQL DB]

 Roles:

1.(Authorization:[Time Source]:Now DT  LESS_THAN  %{Endpoint:MAC-Auth Expiry})
AND  (Authorization:[Guest User Repository]:AccountExpired  EQUALS  false)
AND  (Authorization:[Guest User Repository]:AccountEnabled  EQUALS  true)
AND  (Authorization:[Endpoints Repository]:Unique-Device-Count  EXISTS   )
[MAC Caching]
2.(Endpoint:Guest Role ID  EQUALS  1)[Contractor]
3.(Endpoint:Guest Role ID  EQUALS  2)[Guest]
4.(Endpoint:Guest Role ID  EQUALS  3)[Employee]

 

Enforcement:

1.(Tips:Role  MATCHES_ALL  [MAC Caching]
[Guest]
[User Authenticated]
)
[Allow Access Profile], Cisco Guest Profile
2.(Tips:Role  MATCHES_ANY  [Guest])[Allow Access Profile], Cisco Captive Portal Profile

 

I'm kind of at a lose and can't seem to figure it out.  I've tweaked the profiles and have tried different things in the policy.  At one point i did have this as an alert in access tracker.  

Error Code:
209
Error Category:
Authentication failure
Error Message:
No password in request
 Alerts for this Request 
RADIUSMAC-AUTH: Password in request doesn't match username. Not attempting MAC authentication
Cannot select appropriate authentication method
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: