Security

We're seeing an issue where guest users connect via captive portal with MAC authentication, but then lose the connection at some point (it varies) and have to log in via the captive portal again.From testing that I've done, it seems that this will happen to an iOS device (I test with an iPad) when it goes into energy-saver ('sleep') mode; it will happen on my Android device if I roam between APs; a Windows 10 laptop appears to hold the connection througout the entire DHCP lease period, but I have had users see the problem on a Windows machine, too.

Our setup is IAP-305s and -315s connecting to S2500 MASs at the edge. ClearPass is the authentication server. (Note: we don't see this issue with 802.1X authenticated devices - those connections hold when roaming or going into sleep mode.) Guest logins get their IP address from our DHCP server, not from a scope configured on the VC.

I have opened a case with TAC, and both ClearPass and IAP technicians have been so far been unable to determine why this happens. The user is able to log back in and if they copied the generated password, they can paste it in, but it still requires putting in the user name (e-mail address) again. I don't think this should be necessary with MAC auth.

Any insights would be welcomed!

We have seen issues in the past when devices go to sleep mode. This can be 'fixed' be disabling the RADIUS reauthentication option. I'm not sure if this is fixed in the latest IAP release but I think this was fixed.

If MAC auth occurs you should make sure you return the correct role to the IAP. The role you return should also be created at the IAP. 

Herman has created a recording about this.

https://www.youtube.com/watch?v=5sQIKZw5BrE

Where is the RADIUS reauthentication configuration option? I can't seem to find it in my IAP. I see an option for a reauthentication interval, which we have set to 0 and we have MAC auth enabled. 

In the Access tabe of the IAP web UI, under the Role-base option, we have a number of roles. The ones we're concerned with here are the 'guest-logon' role, which is set to enforce Captive Portal, the 'or-guest' role, which is the one that guest users get after signing in on the CP. It seems that devices become 'stuck' in the guest-logon role and don't move out of it into the or-guest role until they reauthenticate. 

ClearPass and the IAP's CLI both seem to indicate that the MAC authe works, but something is stopping the user from recieving the correct or-guest role after roaming or going to sleep.

Here's a question: shouldn't we have the option checked 'on' to 'use cached roles from previous sessions'? I wonder if having it unchecked is forcing the user back to the guest-logon role. See attached screen capture.

Got this resolved via TAC session. There was a misconfiguration in our ClearPass setup that was causing guest users to get  an incorrect role assignment. Corrected by adding a MAC caching role in the role mapping policy.