Security

Hi,

 

I have a Clearpass 6.3.4.64924 and I'm making modifications on two web login pages I'm using. Both are used as Captive Portal for guest or employes personal device registration.

 

I ran into a road block after modifying the second web login: when I change the login method to Server-initiated, the WEBAUTH authentication is used the service from the other web login (that I don't want). So here is how it is setup:

 

Web Login #1: Employes device

Vendor: Aruba Networks

Login Method: Server-initiated

Authentication: Credentials

Pre-Auth Check: Radius

 

Web Login #2: Guest

Vendor: Aruba Networks

Login Method: Controller-initated

Authentication: Crendentials

Pre-Auth Check: Radius

 

So, web login #1 works fine, the radius and webauth requests goes through. Web login #2 is working in the controller-initiated mode, but as soon as I change it to server-initiated, the initial radius request goes through without a problem, but the webauth request doesn't work because it use the web login #1 webauth service. I've tried to find what string I have to put in the service rule to differentiate both requests, but it seems there is none.

 

Is someone has already seen this issue? Unfortunately, I cannot use the same service for both system as I don't want to mix corporate stuff with guest. Let me know if you need more information.

 

Thank you

 

Jo

I understand you dont want to use the same service but you create a enforcement policy that actually has a logic for both and that shouldn't conflict with either setup 

 

 

You should receive the name of the registration page in the RADIUS input tan in ClearPass. You can key off that.

Hi Cappalli,

 

thank you for your quick reply. Currently, my problem is not at the radius request, but the webauth request the web login is doing. If there would be the same kind of key as the radius request (Radius:Aruba:Aruba-Port-ID), that would solve my problem. Here are the computed attributes a webauth request has:

 

Authentication:Full-Username	username
Authentication:Full-Username-Normalized	username
Authentication:Posture	Unknown
Authentication:Source	Auth source
Authentication:Status	User
Authentication:Username	username
Authorization:Sources	Autho source
Connection:Client-IP-Address	192.168.0.x
Connection:Client-Mac-Address	000000000000
Connection:Client-Mac-Address-Colon	00:00:00:00:00:00
Connection:Client-Mac-Address-Dot	0000.0000.0000
Connection:Client-Mac-Address-Hyphen	00-00-00-00-00-00
Connection:Client-Mac-Address-NoDelim	000000000000
Connection:Client-Mac-Vendor	Apple
Connection:Protocol	WEBAUTH
Connection:Src-IP-Address	127.0.0.1
Date:Date-of-Year	2014-07-28
Date:Date-Time	2014-07-28 12:41:41
Date:Day-of-Week	Monday
Date:Time-of-Day	12:41:41
Endpoint:Role	some role
Endpoint:Username	username
Host:CheckType	Authentication

 

Thank you

 

Jo

I think the solution here is to go by the Connection:Client-IP-Address. So you will have to make sure your clients end up on different VLANS/Subnets When they use the WebAuth.  I never did see the Page name but I might not have something set correctly. 

 

Hi sdr53,

 

yeah, that could be an idea. I would still prefer to filter by page name but this is possible.

 

I will be opening a TAC ticket, will reply whith their answer.

 

Jo

So doing something like this didn't work for you?

 

Hi Cappalli,

 

sorry for the delay. Unfortunately, that doesn't work because it doesn't apply to a webauth, but for an application authentication service. If you setup a web login with authentication credentials and pre-auth check app auth, the first authentication request will be an app authentication, the one you describe bellow with the rules. The second would be the webauth authentication that is where my problem is. This is the options I have when I setup a service in web auth:

 

 

I've contacted TAC and they weren't able to give me an answer for that. They have also recommended I use this specific web login in controller initiated mode as it's for guest with MAC caching ( I had some issues with it that they have helped me to resolved).

 

Anyway, still a mystery. Will continue to figure out a way to do it, but at least my guest login is not working as expected.

 

Thx everyone :)

Thanks for Sharing your responce,

 

I had to use Web-auth because of the On-guard intergration with CPPM Guest. I don't have the requirement of different authentcation sources. Hopefully you will find a Work-around for what you are trying to acomplish and hopefully its not too complicated.

 

 

Hi Victorfabian,

 

thank you for your quick reply. I would really want to be able to differentiate them from the web login portal used (as other type of authentication will do), so I don't have to rely on what authentication source or other information.

 

Maybe I'm been too strict in my design, but I really want to seperate corporate stuff and guest.

 

Thank you

 

Jo