Security

I have a lab set up with ClearPass 6.1 and AOS 6.2.  I am working on a configuration that redirects guest users to a captive portal, and authenticates them against a local guest user database - I set up an account with unlimited use and no expiration.  I am also authenticating employees against an AD database.  I have two SSIDs: employee and guest.  This all seems to work fine.

What I want to be able to do is first try to MAC authenticate guest users when they connect, and then pass them through to the guest captive portal if MAC auth fails (i.e. they haven't connected in some period of time, say, 8 hours).

I would also like to be able to do something similar with employees connecting to the employee SSID if possible, except employees would be redirected to the AD server for authentication if MAC authentication fails.

I have been trying to lcoate suitable reference materials for this scneario, but have been unsuccessful.  Any reference material, examples, guides, or guidance would be greatly appreciated.

Regards,

DAK

a good info regarding how to add the mac of the user while he is logged in (the guest itself) - u may find here:

http://community.arubanetworks.com/t5/ClearPass-formerly-known-as/Guest-accounts-lifetime-expiry-time-still-can-t-make-it-work/td-p/84554

now under - your AAA profile of the guest network on the controller - you should enable mac auth on the same profile:

So now (after enabling the mac auth and adding the right fields to the  guest register page)  - each client the connected to the SSID -will do a mac auth in front of the CPPM devices db ...if it's there (because it's already registered - it will not see captive - if it's new it will need to register)

just be sure in the mac aut profile in the aruba to the inputs of the macs your cppm getting (just watch your access tracker and fit it until u getting the right result)

Thank you, kdisc98.  This seems like a lot of gyrations just to tell CPPM that if it sees a guest device reconnecting to the network within a certain period of time, reauthorize it and skip the captive portal.  I can see this use case happening often in situations where guest user devices go to sleep, or get put on standby.

Can MAC authentication be used similarly for a .1x Radius-secured network?  Would there even be a use case for that?  Like an employee who puts their laptop to sleep while at lunch?  Or a company executive who puts their tablet computer in standby mode for several hours?

You can enable MAC CACHING and set it for certain amount time (Like 8 Hours) so the user doesn't have to reauth during that time.

Thank you, Victor.  That seems more straight forward and easier to implement.  Do you know of any good configuration examples of that?

I have attached a doc that should help with that.

Attachment(s)

Aruba Wireless and ClearPass 6 Integration Guide v1.3.pdf   4.25 MB 1 version

Thank you, Victor and kdisc98.  I appear to have been able to get this working two different ways.  One way involed using the L2 Authentication > MAC Authentication that is available in AOS 6.2 - this feature does not appear to be in version 6.1.  This allows you to enable reauthentication and set the reauthentication interval.  The second method involved disabling reauthentication on the controller and using the Guest MAC Authentication Service Template built into ClearPass instead.  This creates two services: Guest MAC Authentication and Guest Access with MAC Caching.  If you adjust the timer in the MAC Authentication Enforcement policy to suit your needs, you can force ClearPass to hit the captive portal, reauthenticate the user, and cache the MAC address.

Good to know that u figure it out,and configured it like u want.

Thanks for updating us.

have a gr8 day.

Me.

greart guide there FB thanks a million

Hi, sorry i had to bump this old thread. i'm currently configuring this kind of services on CPPM 6.2.3.

i'm having trouble to configure how MAC caching in CPPM works. all i can find is to create a new service from the service template and, from the template, the minimum mac caching time i can find is no less than 1 day. can you tell me how do you set mac caching for 8 hours?

or even better if you have a documentation how to manually edit mac caching in cppm beside creating fresh from service template.

thanks.

R.L.

If you use the service template all you need to do is modify the enforcement profile and change it from days to hours.

Hi Troy,

i need to confirm this. so the mac caching time doesnt mean that the mac address from local endpoint db will be deleted after a duration of time but just the mac auth service checks from insight repository db on how old the the mac address is?

and on enforcement profle, authorization insight repository, Days-since-auth. does it mean days since the mac address firstly being cached?

thanks,

R.L.