Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CoA Issue with Meraki & ClearPass Guest (using MX Anchor)

This thread has been viewed 4 times

  • 1.  CoA Issue with Meraki & ClearPass Guest (using MX Anchor)

    Posted Oct 01, 2020 04:43 AM

    Hi All,

    I've run into a CoA issue with a Meraki Guest Wi-Fi solution I am building for a customer. The SSID is configured to tunnel back to a DC Anchor (MX appliance),  though works fine when configuring as a non-anchored WLAN. I have deployed this design successfully with ISE several times, though have discovered that ISE & CP behave differently when constructing CoA messages. ISE uses the Source IP of the RADIUS Auth/Acct packet, where CP uses the NAS-IP-Address from within the last RADIUS Acct packet. 

    The issue is that the RADIUS request is generated by the Meraki WAP, and sent through the tunnel to the anchor MX appliance which forwards it to CP.

    CP is configured with the MX and WAP IP's as a RADIUS NAS devices.  CP answers the RADIUS request with an accept and sends a server initiated redirect. Once the user signs in to the portal, CP fires off the CoA, however because it uses the NAS-IP-Address, the CoA is sent directly to the WAP, not the MX (which is where Meraki Engineering advise it is expected to go). The WAP drops the CoA, and the user is not re-authenticated, and is consequently stuck in a portal redirect loop. As mentioned, the solution works fine when the WLAN is configured to use bridge mode, as the WAP is expected to receive the CoA directly; my issue is specific to an anchored WLAN.

     

    As ISE uses the real source IP of the RADIUS Auth/Acct packet it works fine.  In any other enterprise wireless solution you can override (specify) the NAS-IP-Address on the controller, however Meraki doesn’t support this. TAC have advised CP can’t be changed to use the real IP, only NAS-IP.

    Any advice / thoughts would be welcome.

    Here are some of the constraints which determined the current solution:
    * Require custom portal with both self registered and sponsored login options, desire to reuse expositing ClearPass infrastructure.
    * Must be tunnelled across their WAN environment to provide separation from corporate traffic.
    * Not permitted to host splash pages Internet / public facing. This is the reason VPN access to DC is required
    * Not permitted to open RADIUS to Internet, precluding the standard Meraki or EXCAP hosted Logon page, as this requires that Meraki Cloud send RADIUS request over the Internet (/24 source range)