Security

Hello,

We are setting up device registration using Guest's built-in forms, but cannot get email or SMS auto-send to work (SMS is the built-in ClearPass gateway, we have a few tokens for testing, but not many). Both work if we send tests directly using CPPM or Guest's SMS/email test options. They also work if I go to a pre-registered device in 'Manage Devices', select the device and choose 'Edit', choose Update Device and then select 'Send SMS receipt' or 'Send Email receipt'. But nothing is sent when someone registers a device using the form. The form does have the fields that we have configured to prompt the auto-send ('auto_send_sms' with a value of 1, and 'email'). Any ideas?

I saw from a previous post that there was a bug in an older version of ClearPass to do with privileges for Policy Manager, but we are on 6.8.5.

Thanks,

Guy

Hi,

In your guest self-registration page, you have selected the right fields for Email and SMS? These fields are available in your registration form?

Did you check the application log?

Home » Administration » Support » Application Log

Also, you can enable debugging for guest services to troubleshoot further.. Make sure to disable it afterwards..

Home » Administration » Plugin Manager » ClearPass Guest Services

Ok I was being a numpty, I hadn't turned on SMS and email in the Registration Page settings! Thanks - your answer pointed me in that direction.

Could I also ask - is there a way of making the SSID work like this?:

1 - device connects to SSID

2 - device is MAC-auth'd

3 - If MAC auth fails device is redirected to registration page, otherwise device is authenticated onto network via MPSK.

ie is there a way of making this so that the user/device doesn't need access to the internet via another means (different SSID/wired/mobile) to do the registration part?

Hi,

I didn't get your question, the first 3 points are the "normal" workflow for mac authentication..

1 - device connects to SSID

2 - device is MAC-auth'd

3 - If MAC auth fails device is redirected to registration page,

I am not sure what you mean by "otherwise device is authenticated onto network via MPSK." You are using an open wireless network right?

Sorry for the late reply - no, we want to use MPSK.

I suppose I'm asking whether it can behave a bit like a CP, but I guess there's no way of making an MPSK SSID do that.

It probably doesn't make a lot of sense anyway seeing as quite a lot of devices on this SSID would be headless.

I may be misunderstanding, or confused, apologies! The devices are all MPSK enabled when they are registered.

What I was hoping was that if a device connected to the MPSK SSID and failed the initial MAC auth, then somehow it could be redirected to the registration page a bit like a captive portal. I'm guessing that's not possible?

You could assign a role on mac-auth failure, and the role can be configured with a captive portal redirecting them to a page of your choosing.

Ah yes that sounds pretty much perfect. Thanks, I'll investigate...