Security

Reply
Highlighted

Re: Clearpass guest access portal - MAB - web authentication

It all depends on if you are doing time or bandwidth restrictions.

 

Its not required but I'm using the insight and endpoints database for post auth checks.

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
All-Decade MVP 2020

Re: Clearpass guest access portal - MAB - web authentication

Troy,

 

One more question about your configuration. You have the following line set on the interface:

 

authentication timer reauthenticate server

 

How are you sending back the reauthentication timer from Clearpass to the server? I'm doing something similar right now, so just curious.

 

Thanks!

 

-Mike

Highlighted

Re: Clearpass guest access portal - MAB - web authentication

In the enforcement you change the session-timeout. For example in this one I changed it to 3600 sec which is every hour.

 

 

 

sessiontimout.png

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Highlighted
All-Decade MVP 2020

Re: Clearpass guest access portal - MAB - web authentication

Troy,

 

You know it's funny, I've only changed the VLAN number in the default VLAN policy - I've never actually read the other fields.

 

Thanks for that pointing that out!

 

-Mike

Highlighted
Occasional Contributor II

Re: Clearpass guest access portal - MAB - web authentication

Hi everyone,

 

I'm working on the same task as you do (wired centralized web-auth like Cisco ISE)

My service setup is like your (allow all mac-auth, url redirect returned, user's http traffic redirected, credentials are posted, etc. - it's OK), but I have next trouble:

When guest account expires, exsisting session are not disconnected automatically :( ,while If I do this manually (from Guest app ->actice sessions -> disconnect) - it works

 

CPPM version - 6.2.4

Cisco catalyst 3750-x IOS 12.2(55)SE3

 

I also attached services, which I use (.xml)

 

Can you advice anything?

 

thanks )

Highlighted
MVP

Re: Clearpass guest access portal - MAB - web authentication

Would be awsome if the OP could post screens for the service and all related components for the end-result that seems to be working. Any chance that happening? :)


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Occasional Contributor II

Re: Clearpass guest access portal - MAB - web authentication

Agree :)

 

This would be great !

Highlighted
New Contributor

Re: Clearpass guest access portal - MAB - web authentication

Hi ,

 

While doing the wired guest self registration with Aruba switch , User connect and re-direct to the capitive portal, User register the required field and submitting the credential to validate the clearpass server .

 

How the user request is catergorized into clearpass service web authentication and hit the service and authenticate .

 

Can anyone please help me on this

 

 


@Bharani wrote:

Hi Guys,

 

We are implementing guest access to our wired network. So, we have configured 802.1x, MAB (Mac address bypass authentication) in switch ports to authenticate the users connecting to it.

 

So, if a user connects to a switchport and if he fails in both 802.1x and MAB, he is treated as guest user and should be given clearpass guest portal web login page (to create his own account to login).

 

Normally in CISCO ISE, we have an option to use 'If user_not_found in MAB, ISE will not fail MAB, rather it will send redirect url (of ISE guest portal) to switch to ask the user to login to the guest portal page'. [You could refer to page 4 of the attached document)

 

So, in clearpass, do we have an option like 'If the user is failing MAB, the clearpass sends the re-direct url to the switch to make the user login to clearpasss guest portal'? I don't find one because if he is failing MAB, the only option we're left is to use switch's internal web page (web-auth - fallback method for MAB).

 

Any service/enforcement policy needs to be created for this to accomplish? Please help.

 

Thanks,
Bharani.....

 


 

Highlighted
MVP Expert

Re: Clearpass guest access portal - MAB - web authentication

The wired captive portal authentication is different from the wireless one. In the guest page use the vendor "Hewlett Packard Enterprise" and set the Pre-Auth check to none

pic1.png

There should be a request in the access tracker.

The service within policy manager should be set to Web based authentication type.
In the service rules you can use the following

pic2.png


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Highlighted
New Contributor

Re: Clearpass guest access portal - MAB - web authentication

Hi ,

 

Yes i selected NAS setting as HP Enterprise and pre-auth check is unchecked .

 

And service side -- > Web auth

 

HoST - - > CHEK TYPE --- > EQUALS --- > Authentication ..

 

And not included the guest page in service , only one rule in service

 

Can please explain the workflow , user submitting the credntial with capitive portal the request is classified as web auth service and hitting the CPPM server .

 

Ans i see this in access tracker ..

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: