Greetings All!!
This is going to be a bit long, but I feel I need to try and describe what we are doing and trying to do as well as the limitations we currently face with the easiest solution...
A company I work with has many local controllers (25 and growing) and has ClearPass. We (customer and me) have been told by their security team that we cannot have ClearPass open to the internet for an external captive portal. We are trying to figure out a way to use the local controller captive portal abilities to auto submit a login with a user's mac address when they click the accept button on the "terms of use page". We are already doing MAB for a few OUIs with ClearPass and I was thinking we could potentialy setup a web login service to have the local captive portal authenticate against. This is what I'm trying to accomplish, and there may be other ways to do it or other solutions.
1. Device connects to local guest network
2. Device hits MAC auth serivce on clearpass.
3. If device passes MAB, allow access.
4. If device fails MAB check , give local captive portal role for devcice to click "I accept the terms"
5. Auto submit user's mac address, (similar to mac auth) to clearpass as username for web login service and give the endpoint a date/time stamp attrib for mac cache bypass.
6. Give device access, caching results for future auth in next X days.
Limitations...
No VPN or GRE tunnels to ClearPass. Not scaleable.
No public ClearPass CP. That would be too easy. :-/
I have it working up to the 4 step. I can send a user to the local captive portal and when they click accept, they get access with the default user role. Unfortunately, I never see this in ClearPass as their is no "user login" in the local captive portal. This means no user caching so they hit the local captive portal every time they connect.
Is there a way, using hidden HTML code, to auto login a user with their mac address, when they click "I Accept"? Or any other ways you can creatively think to do this?
Thank you so much for taking the time to read my long post and considering a reply!