Security

Hi

I guess that many of you have deployed guest WLANs where the password is sent over SMS to the user. By doing this we make sure whoever logs into the network has to provide a valid phone number that can be tracked in case there's been an improper use of the network. An interesting alternative could be to verify the email address of the guest using the sponsor approval workflow. The user would have limited access to the network while he validates his email and full access once that's done. 

This is how I've been doing it lately:

Clearpass Guest Configuration

I've created a self-registration where the guest gets 5 minutes of internet access to validate it's email address. This lets the guest receive the email to self-sponsor himself. The config process would be the following:

First of all, modify expire time so that the initial duration is 5 minutes. I've used the "modify_expire_time" field and set it to 5m:

I first click "Insert_After" to add a new field and then add the "modify_expire_time" field with the following configuration:

As you can see, it’s a hidden field with the initial value set to 5m and we’re forcing it to always use its initial value.

Next step would be to send a “self-sponsor” email to the user. In order to do that we configure “sponsor approval” with no sponsor auth, send approval request to the user’s own email, an 8h increment if the account duration and we set the initial state to “enabled”:

This would be the basic config we would need in Clearpass Guest. It admits a lot of small imprivements such as modifying the confirmation email to have a more appropriate text or the page seen by the “self-sponsor”. In order to keep things simple, we’ll leave those out for the moment.

ClearPass Policy Manager Configuration

What we’ll do in CPPM is similar to what we do when configuring MAC Caching with the only difference that after the web authentications a new authentication will be triggered after 5 minutes. In order to do that, we’ll create 2 services, one for the RADIUS authentication from the web login and one for the subsequent MAC authentications.

Let’s focus first on the web authentication service. We need a generic RADIUS auth service where we validate the auth comes from the right SSID and so on. The key part relies in the Enforcement policy, were we’ll have the following:

• [Update Endpoint Known] to mark the device as known.
• 5-6 Min Session timeout to expire the user session after 5 minutes have passed. This would be done in the following way:
• Update Guest Endpoint to save the user data in the endpoint

With this configuration, our enforcement profile should look more or less like this:

Now that the web authentication is set, we just need to take care of the MAC authentication service. This will allow us to cache the device for as long as we want the user session to be open. We just need to validate that the guest account tied to the endpoint exists and is not expired. The enforcement policy should look like this:

There are two key aspects here. First of all, we’ll need to add the [Guest User Repository] as an authorization source and second, we need to send the username back to the controller/ap. We don’t want the MAC address to appear as the username, we want the user id from the initial web login (which we’ve saved in the endpoint). This allows us to track the user session even when he’s being cached:

This would be all the required configuration in Clearpass, now we just need to take care of the AP/controller config.

AP Configuration

Since we plan on validating users based on their MAC addresses, we need to add MAC authentication to the guest authentication we usually have in these type of scenarios. This is how my IAP config looks like:

As you can imagine, this is just a sample configuration that will allow you to get started on this, and it leaves room for a lot of minor improvements. Nevertheless, I think this sets some basic foundations for the auto-sponsor login that could be useful to many. Give it a go and tell us what you think about it :)

Regards!

Hi Samuel,

Great post here, but for a newbie the "ClearPass Policy Manager Configuration" part is a bit shady yet. It assumes I already know the details on the services creation.

Could you detail a bit more on how exactly to create the "2 services, one for the RADIUS authentication from the web login and one for the subsequent MAC authentications." you mention and where/how exactly to apply the actions described after.

Thank you,

Pedro

You can use the service template for Guest with MAC caching.

That solved it.

Thank you

Has anyone set this up and got it working 100% as expected?

from reading the notes it sais "new authentication will be triggered after 5 minutes" i understand this to mean post the time out the device will re auth, and if the user name is active the device will Auto connect?

this is not the case for me, the time out is just changeing role back to the login role. if you disconnect and re connect to the wifi and the account is active all is ok

Hello,

i know this is a quite old thread, but i've been recently trying to make this scenario work with he same result...once the timeout occurs, it reverts to the default/initial role and auto registration page is showing again...if i make a reboot to the device, it triggers the mac authentication service, but this is not the case without rebooting...

did anyone find the roundabout to this??? any special info to take care about not mentioned in documentation???

thank you very much in advance,

Javier.

i engaged with Aruba when i was working on this and found the config needed tweaking.

see attached

Attachment(s)

adtional config.docx   383 KB 1 version

Thank you Colin,

thank you for sharing this config...now it's working as expected...it's a shame that Aruba don't have a better guide to make this kind of scenario alive with less tweaking...

now that everything seems to behave as expected using your workaround, it's time to begin from scratch again..too many days changing too many things lead to a config too messy, and too many parameters will be for sure upside-down...

Thank you very much indeed.

Javier.

Javier,

the Guide was not orgionley provided by Aruba. the reasion why the tweakes are needed is that the way the controller works has changed in the newer versions.

Yes, i know...that's why i'm missing something official from Aruba...

i'm  sure you're right, but i can't avoid feeling some kind of emptiness here...;)

Thank you very much indeed,

Well, i'm back again with the same issue...i don't know if i'm missing something, or the whole thing is so unstable, but i'm back with the same behaviour: can't get mac caching service triggered most of the time...only if i don't apply ALL the timeout profiles, including MAC caching session timeout, it behaves near expected, but the controller says it's a web auth session going on, even  after rebooting the client ...

Does anybody has a detailed document that could be shared to check against my own config??? now i'm doubtful about everything, including controller configuration, clearpass guest selfregistration forms, fields and so on...even how clearpass is managing date and epoch, with timezone different from the reference, is suspicious now to me...

i'm missing something for sure...

Thank you very much in advance,

Javier

Hi!

I have a problem with SMTP

For the SMTP. I assume you are getting the starttls error. I just answered that on a different thread.

http://community.arubanetworks.com/t5/Security/authen-failure-SMTP-STARTTLS-failed/m-p/291368

I do have a different issue. All this works great, however if the client resets his connection before the user is confirmed, mac-auth is done and the session-timeout is changed to default. I can set it there to 360 seconds as well, but when a user is confirmed, 360 seconds is not required anymore.

I tried setting an unvalidated role for the user during registration and changing the role when sponsored. However the endpoint keeps the original role id.

Also in the additional settings file the ${GuestUser:do-expire} is used during hte mac-auth. But clearpass does not seem to be able to translate this to the value of do-expire. It just literally set the string ${GuestUser:do-expire} in the endpoint.

I've added screenshots in the file below.

Attachment(s)

Issue with mac auth and self-sponsor.docx   540 KB 1 version

I found a workaround. 

I've edited the Guest User Repository source to include the RemainingExpiration attribute of the user. It is already in the authentication query but not in the authorization query. I name the alias RemainingExpirationAuth.

I then added a few rule in the policy enforcement policy for the MAC auth.

1. Default mac auth enforcement. 
   Check the insight repository for hours-since-auth, check if the endpoint contains the valid user role, check if the guest account is enabled and not expired. 
   This resulted in a radius allow access enforcement profile that set the reauth timer to 86400.
2. Check if the endpoint role is unvalidated and if the RemainingExpirationAuth is larger then 300 seconds. 300 seconds are the 5 minutes that were set for the free wifi access.
   This results in the endpoint user role id being updated and a radius allow access enforcement profile that sets the reauth timer to 86400.
3. Check if the endpoint role is unvalidated. Since I use first applicable the RemainingExpirationAuth will be less then or equal to 300 seconds.
   This results in a radius allow access profile that sets the reauth timer to 360 seconds. 
4. Check if the endpoint role is set to the validated role but the account is disabled or expired. This results in a radius deny profile and a Set Endpoint Unknown.

Now the user can be disconnected during his 5 minutes of free wifi and reconnect using Mac while remaining on a short reauth timer. And when the user validates his email he will recieve a normal reauth timer in the same service.

There can be some improvements but for me this is working right now.

1. You can edit the guest user repository authorization query to return the guest role id and use that attribute to set the final role instead of checking the RemainingExpiration field. I would make the service more generic if you have multiple SSIDs.
2. You can also use the RemainingExpiration field as a value for the short reauth timer. Although you should increase it by 60 seconds as a buffer. This would make it a more generic enforcement profile.

I've added screenshots of my current configuration.

just joining this forum and came across this old post 

I have the self sponser to email working such that the user registers an account using a valid email and then receives an email from clearpass to confirm that account.  This post addresses the issue that I am trying to resolve in that the user can'r receive the email on the device he is connecting with because there is no access until the confirmation is done.

I am using two service policies created from the template to get me to this point.  mac authentication and mac authentication with caching

The first gets service policy gets the registration done but the second policy does not get ran until after the email is confirmed.  The secoond policy is what updates the endpont to known.

This thread appears to call for two additional policies but I can't figure out how to layer them in to get the endpoint known for the 5 minute period to allow for network access to recieve the email and finish the confirmation that runs gets the mac caching service ran.

Hopefully someone can clear this up for me please

you need to make sure that the account is active as part of the registeration. 

Hi Samuel,

I am encountering an issue & would appreciate your inputs to see if this can be addressed.

MAC caching interval for the guest user is being calculated based of remaining expiration time in the guest repository.

(Authorization attribute has been added to guest user repository in order to compare current time vs remaining expiration) )

a). Self sponsorship confirmation is working perfectly while I am using the guest account on a single device.

b). If i register using the same email address on the 2nd device, it is over riding the expiration timer of the guest account.

Eg: 1. Device A registers with email "xyz@xyz.com" at 10AM which creates an account using the email address provided in the guest repository with expiration set to 10.05 AM.

User is provided 5 mins of free internet access & then he confirms the email to extend the expiration of the account to 6:05 PM.

So, if the device disconnects & reconnects multiple times until 6.05 PM, it would get direct internet access (mac caching kicks in).

2. Device B registers with the same email "xyz@xyz.com" at 11AM which overrides the previously created account (step 1) & changes the expiration time from 6.05PM to 11.05 AM.

If Device B does not confirm the account (clicking on the email sent as part of registration), then the account will expire at 11.05 AM.

Device A is presented with captive portal again if it gets disconnected & tries to connect back to the network.

Is there a way to ensure that Device A is not affected when the same email account is used on Device B?

Does anyone have this process documented from A to Z with the issues brought up by other members? I'm having issues with this process and Its hard to follow each users changes or additions based on their issues. I'm hoping for an initial setup and best practice PDF or link to one?

thanks

Follow the instructions in the beginning of this post. Ignore all the comments, then add the additional config for the do_expire field in the self registration form. See doc attached. 

Attachment(s)

additional config.docx   383 KB 1 version