Security

Hello all.

 

Is it possible to make bypass authentication for known users by mac address and fallback auth by captive portal for new users?

 

I.e.: I have guest ssid with aaa profile AAA-GUEST. AAA-GUEST contain captive portal authentication and mac authentication. All of these authentications are made in ClearPass by doc: : ARUBA WIRELESS AND CLEARPASS 6 INTEGRATION GUIDE Technical Note v1.3 

 

So, I trying to login from my laptop to the guest ssid and first message in log is REJECTED by mac authentication. Ok, I trying to open browser and no redirects to the captive portal there. Ok, manually open captive portal page, trying to login - REJECT in logs: Failed to classify request to service.

 

I can not understand why it happens. I have tried to reinstall all configuration 3 times - still no luck. There is no fallback to the login page if mac auth failed. Somebody help. Thanks in advance.

We could use some more info in regards to your AAA profile, MAC-auth profile 

 

You should get your redirect and login to work without MAC auth before you implement it.

 

Which CPPM version are you using? In 6.1 several of the pre-defined services are gone, and among them this the Mac Caching one. But - in 6.1 just use the service-template for MAC cache authentication and you should be fine.

 

If 6.0.x then you could try some troubleshooting.

Verify the role your client lands in after the MAC reject appears. This should be the guest-logon role (or equivalent) - this is the AAA default role.

 

 

Oh - and scan through your services and make sure you have input the correct SSID in your auth profile. Thats often the reason behind "Failed to classify.."

If you are using 6.1 use the service templates and chose Guest MAC Authentication to set up your services. it will auto configure all the settings and create two service. One for the initial MAC auth and one for the captive portal.

 

 

 

 

 

Yes, I use CPPM 6.1

 

Ok, I delete all changes again and create new service from template, like tarnold said. So, it creates 2 services: Guest mac authentication and Guest Access With MAC Caching. Trying to connect to the ssid - REJECTED. In logs the same problem occured:

 

 

 

 

Still don't understand how it could work redirecting to the captive portal page for registering new user device by login/password. Where can I configure it in polices/roles/or somewhere else in these services?

Do you have insigt enabled on the CPPM

---

@tarnold wrote:

Do you have insigt enabled on the CPPM

---

How can I check it? Where can I enable it?

 

P.S.: Sorry, I'm newbie..

on the CPPM side "Administration » Server Manager » Server Configuration"

 

 

 

Remember it can take up to 5 minutes for the data to be updated in insight. For testing i would connect through the captive portal. wait 5 min disconnect the user and then reconnect. 

Yea, the doc lists that you should wait atleast 2 minutes so be a little patient when testing this :)

---

@tarnold wrote:

Remember it can take up to 5 minutes for the data to be updated in insight. For testing i would connect through the captive portal. wait 5 min disconnect the user and then reconnect. 

---

That's the problem. My laptop not redirect to the captive portal. When MAC auth check reject connection - I can't see any captive portal page.

 

Sounds like the wireless might not be setup correctly on the roles also. Take a look at this doc and around page 34 it goes through a basic guest portal. 

 

http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=10345

 

 

---

@tarnold wrote:

Sounds like the wireless might not be setup correctly on the roles also. Take a look at this doc and around page 34 it goes through a basic guest portal. 

 

http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=10345

 

 

---

Thanks a lot. Now my laptop redireting to the captive portal. But it self-registration portal. I need something like:

 

1) Operator make username/password and time limits for new guest.

2) Guest user connect to the guest ssid.

3a) If it first time connection - he will be redirecting to the captive portal (without self creating user account), where he can LOGIN by credentials which obtained from operator. When he will be logged in his mac have to be written to the local database for further mac auth (bypass authentication).

3b) If user connecting to the guest ssid and his mac in database - he must authenticated bypass (mac auth).

 

Is it possible?

Yes. You will have to set up a basic guest reg page and just point to the network login for your captive portal. The services you created should give you Mac caching for 24 hours.

It works! Big thanks.

 

Last little question: how can I change the main guest self-service portal page? I need only one form for login at the main page without links "Sign in".

You will need to go to the Self Reg page you made and click edit

 

 

Click on Login Message on the right side of the picture and in the footer field delete the content.

 

 

 

does the 5 minutes counts after the guest user logs in or when the user account created?

i'm implementing CoA to disconnect guest user after succesfully logs in and then force it to reconnect with MAC Authentication. so far i havent found any problem but this 5 minutes delay may cause some problem.

 

R.L.

In earlier releases that was a concern in busy environments. In later release there was optimizations done to speed that up. anywhere from 1-3 min. In the coming 6.3 that will be even quicker.