I've been playing around for a while and have read many boards on both Aruba's sites and Cisco's site and i've tried many different variations of configurations but can't seem to get my mac auth working on my cisco controllers. Guest login with a username/password works fine. Just when i disconnect, delete my user and then reconnect, i get captive portaled again, its not doing a MAC auth.
On the Cisco WLC side, we have a foreign and anchor controller set up for our guest ssid's. The configurations for the SSID's and other configurations have been matched on both controllers.
On my Cisco controller, i have MAC filtering enabled on the L2 tab. I have On MAC Filter Failure enabled on the L3 tab. Under Security-->MAC filtering, Radius compatibility mode has been set to Cisco ACS and MAC Delimiter is set to Colon. Under the Radius-->Authentication tab i have the Auth Called Station ID Type set to System MAC Address and MAC Delimiter set to Colon.
On clearpass, i have the Reject Delay to 0. My policy is configured as followed. Very basic, nothing crazy.
Matches ANY or ALL of the following conditions:
| Type | Name | Operator | Value | | |
1. | Connection | Client-Mac-Address | EQUALS | %{Radius:IETF:User-Name} | | |
2. | Radius:Airespace | Airespace-Wlan-Id | EQUALS | 22 | | |
3. | Click to add... | | | |
Authentication: | Authentication Methods: | [MAC AUTH] | Authentication Sources: | 1. [Endpoints Repository] [Local SQL DB] | Strip Username Rules: | - |
|
|
|
|
Authorization: | Authorization Details: | 1. [Time Source] [Local SQL DB] 2. [Guest User Repository] [Local SQL DB] |
|
|
Roles:
1. | (Authorization:[Time Source]:Now DT LESS_THAN %{Endpoint:MAC-Auth Expiry}) AND (Authorization:[Guest User Repository]:AccountExpired EQUALS false) AND (Authorization:[Guest User Repository]:AccountEnabled EQUALS true) AND (Authorization:[Endpoints Repository]:Unique-Device-Count EXISTS ) | [MAC Caching] |
2. | (Endpoint:Guest Role ID EQUALS 1) | [Contractor] |
3. | (Endpoint:Guest Role ID EQUALS 2) | [Guest] |
4. | (Endpoint:Guest Role ID EQUALS 3) | [Employee] |
Enforcement:
1. | (Tips:Role MATCHES_ALL [MAC Caching] [Guest] [User Authenticated]) | [Allow Access Profile], Cisco Guest Profile |
2. | (Tips:Role MATCHES_ANY [Guest]) | [Allow Access Profile], Cisco Captive Portal Profile |
I'm kind of at a lose and can't seem to figure it out. I've tweaked the profiles and have tried different things in the policy. At one point i did have this as an alert in access tracker.
Error Code: | 209 |
Error Category: | Authentication failure |
Error Message: | No password in request |
Alerts for this Request RADIUS | MAC-AUTH: Password in request doesn't match username. Not attempting MAC authentication Cannot select appropriate authentication method |
|