Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

This thread has been viewed 16 times

  • 1.  Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Aug 30, 2016 03:04 PM

    Hello,

     

    I have a client running Guest on CPPM 6.6 and a Cisco WLC (v. 8.0.121.0).

     

    As the subject outlines, expired guest accounts are still able to connect. I created the services using the templates. Default policy is for 4 hour access, access-code based, so a user need only enter their contact information and then hit 'submit' to gain access to the internet. After 4 hours however, they are not logged out, and if the device disconnects and then reconnects at a later time, they are still granted access.

     

    SSID is configured w/ MAC filtering, upon failure it will redirect to captive portal landing page.

     

    Reject Packet Delay on CPPM is set to 0.

     

    Attached are screenshots of the config.

     

    SSID:

    L2.png

    L3.png

     

    Guest Service:

    guest roles.png

    Guest Enforce.png

    MAC auth service:

    MAB auth.png

    MAB roles.png

    MAB enforce.png

    Sample Access Tracker entry:

    access tracker.png

     

    As you can see, the Captive Portal redirect is being sent from CPPM to the WLC, however the user is still allowed on. In my client's words: "a pop-up appears briefly, but not long enough to actually load the captive portal page", and then he is simply allowed onto the network.

     

    The only thing I potentially think could be missing which I haven't tried is

    adding a Cisco - Terminate Session to the enforcment on the Guest Access Service as referenced in this post: http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/guest-account-expirationguest-account-expiration-with-clearpass/m-p/249351

     

    If anyone has any other suggestions, or can confirm the Terminate Session is indeed what is required that would be great.

     

    Thanks all.



  • 2.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Aug 30, 2016 04:23 PM

    Hi, 

     

    without having to integrate the CoA Terminate Session feature, you could just kill the client's session (This user should also be expired on time source - more than 4hours since auth) on the Cisco WLC and then test if he is prompted with the captive portal.

    Also, I have low experience on Cisco Wireless but can't you just put deny access on your MAC auth service if the time source caching is expired so then it will receive a MAC auth reject and forward to captive portal by itself ?



  • 3.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Aug 30, 2016 05:43 PM

    I did attempt the deny on MAC auth service previously with that intention. It would allow and redirect only on initial connection (endpoint not pre-existing in endpoint database). After initial logon, and the endpoint being added, subsequent MAC authentications would just straight up result in a permanent deny.



  • 4.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Aug 30, 2016 08:04 PM
    Do you have the guest user repository > AccountExpired in the role mapping or enforcement policy for Mac auth ?

    Did you added the guest user repository as a authorization source ?


    Get Outlook for iOS


  • 5.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Aug 30, 2016 08:07 PM

    Aye, I do. As shown in the screenshots above.



  • 6.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Aug 30, 2016 07:57 PM
    You can use the Guest User Repository >Expired > True or False to allow access in your enforcement policy


    To disconnect the Device you need to enable :
    - Accounting
    - enable support for RFC 3576 under the RADIUS server to allow the CoA to happen

    https://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/How-to-set-user-account-expiration-with-delete-and-logout-option/ta-p/182962

    Get Outlook for iOS


  • 7.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Aug 30, 2016 07:59 PM

    Both are enabled.



  • 8.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC
    Best Answer

    Posted Aug 30, 2016 08:16 PM
    Your enforcement policy is not correct.

    The second rule is allowing the device to bypass whether the device is enabled or not in the guest user repository



    Get Outlook for iOS


  • 9.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Aug 30, 2016 08:53 PM

    Ok. For the record the second enforcement on that rule sends a Cisco AvPair redirect to send the client to the captive portal page. It was my understanding that the Allow Access had to be there before a client would even be able to be redirected. Though I suppose if they've already been allowed access, they could simply browse away from the captive portal redirect. 

     

    I'll do some testing there. Thanks for pointing that out.



  • 10.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Sep 07, 2016 10:57 AM

    For the record, I resolved this by changing the MAC failure to a deny when missing the Mac Caching role, rather than the accept and then passing the captive portal redirect. My guess is this is a difference between Cisco and Aruba controllers as the original config was generated from the template.

     

    Everything is working now.

     

    Thanks!



  • 11.  RE: Expired Guest Account can still connect - CPPM 6.6 + Cisco WLC

    Posted Sep 07, 2016 11:24 AM
    Yeah unfortunately in the Cisco WLC world if you are using Redirect on Mac failure it will only redirect the device on a Mac auth reject

    Get Outlook for iOS