Occasional Contributor II

MAC Auth and the Captive Portal

This message is ideally for Herman Robers, but at this point, I am open for anyone to answer.  Referencing his workshop series ( ) I am struggling and trying to figure out what I am doing wrong.  I have in my head that when a MAC Auth takes place, including using the Wizard of setting things up, if you fail mac auth or get a reject, the next logical step would be to push the endpoint/user/guest etc, to your clearpass portal.


I have reset my configs so many times, I have no idea what rev I'm trying (enter definition of insanity  :) ).


Here's the big picture in what I am trying to do...  I have the controller set the role the end device gets, based on the SSID they connect to.  I then am thinking this role carries over into clearpass, where you can set the requirements/criteria up so if you get a "preauth" role, and you're connected to an SSID say Test1, you will go to mac auth.  If you don't exist in the DB, then you should be directed to sign up etc via Captive portal.  


By following the guest section, and the roles via the workshop series, I believe I have everything setup correctly...however, according to the wizard, Guest authentication with mac caching, I'm missing something.


Herman, I am blown away by your videos and how awesome they are in comparison to other versions out there.  Is there anyway you can revist this work shop series and do one for a controller (instead of an instant AP) that fits my scenerio perhaps?  I'm questioning my auth sources, if they are accurate or not, or if I am using the correct DB(s). 


I am using 6.7 code with the latest patch...

Is there a flow chart of how this all works for the radius authentication?  


Again, hats off to the workshop series...  impressive...thank you!


This is a copy of my error message:


Error Code:
Error Category:
Authentication failure
Error Message:
User authentication failed
 Alerts for this Request 
Policy serverFailed to construct filter=SELECT
CASE WHEN expire_time is null or expire_time > now() THEN 'false'
ELSE 'true'
END AS is_expired,
CASE WHEN enabled = true THEN 'true' ELSE 'false' END as is_enabled
FROM tips_guest_users
WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') AND (app_name != 'Onboard')).
Failed to get value for attributes=[AccountEnabled, AccountExpired]
RADIUS[Endpoints Repository] - localhost: User not found.
[Guest Device Repository] - localhost: User not found.
[Insight Repository] - User not found.
MAC-AUTH: MAC Authentication attempted by unknown client, rejected.
Frequent Contributor I

Re: MAC Auth and the Captive Portal

Hi, it is normal that you get a reject the first time you connect. The endpoint isn't know yet in Clearpass. The authentication will hit the first mac-auth service, and Clearpass will reply with a reject. This means the mac authentication that you specified in the aaa profile on the controller failed.

At that point the client will get the initial role in the aaa profile. This role should be the 'logon' role that is linking the captive portal profile you want to use (and allow http, https communication to the cp server). Then the redirection should occur and the second cppm mac-auth service (the one with mac-caching in its name) will be hit. If valid user credentials are filled in, the authentication should be successful and the endpoints repository in Clearpass will get updated with the client's mac. Next time the client will connect to the ssid, and the mac caching isn't expired, the first service will be hit and the client will get the MAC authentication Default Role.

So, points of attention:

  • make sure the ssid corresponds to the one, defined in the CPPM services
  • set mac-auth profile and mac-auth server group in the aaa profile
  • set and configure the initial role for captive portal auth to the clearpass server
  • follow best practices for the portal authentication

Where did you get the alerts that you mention? Not sure why it's saying "app_name != 'Onboard'".

Occasional Contributor II

Re: MAC Auth and the Captive Portal

Thanks RD-one, I will go through and check everything out to ensure they coorespond correctly.  As for the alerts I got, these were from access-tracker.


I'll update this post in a few days when I've ensured things are correctly configured on both ends, based on what you've shared.



Re: MAC Auth and the Captive Portal

Thanks for the feedback on the video series.


On the MACAUTH, in many cases, it is better to use Allow All MACAuth instead of MACauth. If you compare them, the main difference is that Allow All MACAuth returns authentication for any MAC address regardless of the status. The normal MACauth provides a failure for any device that is not marked Known in the Endpoint Database. With Allow All MACAuth you can still decide to reject, or rather return a specific role.


On controller, if you get to the initial role on a reject; if you have enabled L2 fail-through. Similar on IAP. I prefer to ACCEPT the authentication and return the role from ClearPass.


The whole workflow hasn't changed that much over time, and I have a video that goes step by step through the process. And that is indeed not for controllers, but very similar.


Heard your request for controller guest videos. There is another series on ArubaOS8 on the Airheads Broadcasting Channel (ABC). Didn't see guest there yet. Let me find a way to get this config in one of the ClearPass or AOS8 series; can't make any promises at this moment though.

If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Search Airheads
Showing results for 
Search instead for 
Did you mean: