Hello all,
Consider the scenario where a Clearpass Guestconnect server is authenticating self-registering guests locally, and then backing off "unknown" user login attempts to an external active directory or radius proxy back-end. I've already got this working, but hit a couple of challenges.
Also note quite importantly that we're making use of mac-caching in this case, and limiting the device count to 1 per user.
When an AD user connects, they authenticate into AD just fine. In addition, a mac-cache device gets added (good so far). The AD user themselves however, is not added dynamically to the local user account list. As a consequnce of this, if the user turns off their device, and then later connects another device using the same AD credentials (assuming the active session has timed-out), they can "work-around" the device limit we've imposed on the system of 1.
Does anybody know if there is a function to have Clearpass Guestconnect automatically "inherit" or "import" a user account when it leverages an external/back-end server? I can't think of a reason this wouldn't be feasible, as the password is carried by PAP in this case?
Also, for more kudos, is there a way to stop Clearpass backing off the mac-auth attempts to a back-end/external server? I.e. the mac-auth is key to the mac-caching obviously, but ideally you only want these to be processed by Clearpass, and not handed off (as it appears to do when an external server is added).
Any thoughts please?