Security

Hey

 

I have a guest portal that works in every way with phone number as username and SMS as code on initial login. I have 6 months as Mac auth expiry.

 

My problem is when MAC authentication is performed the next day when a user is trying to connect, it gets accept and the cppm user role is assigned, but the captive portal pops up on for example a Apple Iphone. 

 

Can anyone help me out ?

Did you use the Mac caching wizard in ClearPass to build your services/policies/profiles?



Thank you

Victor Fabian

Pardon typos sent from Mobile

Yes, I think it fails here:

 

it should hit the first-applicable which is "[Allow Access Profile], [GUEST Guest Profile]", but it goes to the next enforcment profile "[Allow Access Profile], [GUEST Captive Portal Profile]". I just cannot understand why.

Can you share the post-auth profile (Guest Mac Caching Profile) assigned under the mac caching service

 

Also can you share the role mapping for the mac authentication service

Sorry for late reply.

 

Here are post-auth profile (Guest Mac Caching Profile):

 

Here are role mapping for the mac authentication service:

 

I see this now:

 

Are this value set by the orginal form: guest_register with the field: expire_afer ?

When removing the following from the generated guest-mac-policy:

 

AND(Authorization:[Guest User Repository]:AccountExpired EQUALS false)
AND(Authorization:[Guest User Repository]:AccountEnabled EQUALS true)

 

Then everything works as expected. Users who never have authenticated get captive portal, users with the mac-expiry-auth value set gets mac authentication.