Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

MAC authentication vs Web authentication

This thread has been viewed 6 times

  • 1.  MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:04 AM

    Hi,

     

    I have a 7210 (version 6.3) controller for which I have an external Captive Portal integrated.

     

    I have external MAC caching functional via the external CP server.

     

    MAC cache is working fine for "known" addresses in the mac cache, however, when MAC cache is not known I have the CP configured to have clients to post the registered username/password credentials to the configured radius auth server group. Problem I note is that there are no radius messages being sent with the username/password credentials and the subsequently I cannot perform web auth method.

     

    After various tries I noted that MAC authentication is always being triggered when MAC address is known, but web authentication is not happening when I submit credentials on the CP page.

     

    I am able to verify that the dst-nat action for the controller internal CP for the https post is being hit (via show acl hits). I am also able to verify from radius controlpath packet sniffs that there were no radius messages resulting from the client login form post.

     

    Why is the web authentication not happening (ie. radius auth not sent) when client submits the login post?


    #7210


  • 2.  RE: MAC authentication vs Web authentication

    EMPLOYEE
    Posted Jan 26, 2015 11:06 AM
    Do you have a second service for the web authentication in ClearPass?


  • 3.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:12 AM

    Hi cappali,

     

    No I do not have Clearpass available.

     

    Please advise why a second service for web auth would be required with Clearpass. 

     

    BR,

     

     



  • 4.  RE: MAC authentication vs Web authentication

    EMPLOYEE
    Posted Jan 26, 2015 11:13 AM

    1 service is required to process the mac-authentication and another service is required for the captive portal / web authentication.



  • 5.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:37 AM

    Hi cappalli,

     

    Please explain what you mean by "service" ? This term is not familiar in the Mobility Bootcamp Training perhaps this is CPPM jargon (of which I do not have much exposure).

     

    I would like the MAC cache check to be done first and in case of failure there have the user-login process via the CP applied.

     

    Will I be able to get this done without Clearpass?

     

    Very much appreciate your feedback and insights!

     

    BR,

     

     



  • 6.  RE: MAC authentication vs Web authentication

    EMPLOYEE
    Posted Jan 26, 2015 11:42 AM
    If you're using ClearPass for guest, yes you'll need a second service in
    ClearPass to handle the web auth portion.


  • 7.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:19 AM

    If I understand you correctly, you want to do MAC authentication; but if that fails have the user enter credentals on the Captive Portal page.  You claim you have MAC authentication working but webauth is not working when users enter credentials.   Can you verify you have defined your RADIUS server group as the authentication source under your Captive Portal Profile?

     

    aos-cp-rad-group.png



  • 8.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:25 AM

    Also, did you make sure the credential post is configured properly within the HTML of your external page:

     

    http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-create-a-custom-Captive-Portal-for-public-access/ta-p/177854.

     



  • 9.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 09:53 PM

    Hi clembo,

     

    @clembo wrote:

    Also, did you make sure the credential post is configured properly within the HTML of your external page:

     

    http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-do-I-create-a-custom-Captive-Portal-for-public-access/ta-p/177854.

     

    Thanks for the info, I confirm that the login form post http syntax is correct. This is why I can perform web authentication successfully. However, the issue at hand is that I am not always able to perform web authentication when using the captive portals to submit credentials. 

     

    What debug commands can I use to verify the controllers reciept of the form post from the client, and the subsequent radius auth request generation to the radius server group. 

     

    BR,



  • 10.  RE: MAC authentication vs Web authentication

    Posted Jan 27, 2015 08:49 AM

    I a little confused to your issues.  You mention that you can do WebAuth, but WebAuth with Captive Portal is not working.  Aren't they one in the same?

     

    • Where is the Captive Portal page; on the controller or external?
    • Can you explain a bit further when it works?
    • Can you explain a bit further when it does not work?

     

    You could try to debug the user session; may not see everything you ask for, but may help:

     

    logging level debugging user-debug <mac-address-of-client>

    show log user-debug | include <mac-of-client>



  • 11.  RE: MAC authentication vs Web authentication

    Posted Jan 27, 2015 10:31 AM

    Hi clembo,

     

    Basically my issue is that WebAuth with Captive Portal is not working. When I post credentials on the Captive Portal page, the Captive Portal gets the client to run a client-side javascript to do a HTTP login post to the controller. Following the login post, I cannot see evidence of the controller performing a radius authentication request to my radius server group. Ultimately, I know WebAuth is failing because I remain in the initial role and do not get placed into the Captive Portal's  default role which is "authenticated" (Internet access available).

     

    Response to your queries:

    @clembo wrote:

     

     

    • Where is the Captive Portal page; on the controller or external?
    • Can you explain a bit further when it works?
    • Can you explain a bit further when it does not work?

     

    • The Captive Portal page is external to the controller
    • To make this less complicated, I will say that the WebAuth is not working when I try to use it. I understand that the WebAuth process should be executed every time I submit credentials on the CaptivePortal page. I believeWebAuth is failing because I cannot see the corresponding radius authentication in the controlpath pcap . 

    BR,



  • 12.  RE: MAC authentication vs Web authentication

    EMPLOYEE
    Posted Jan 27, 2015 10:33 AM
    I guess the question is, where is your identity store for the captive
    portal?


  • 13.  RE: MAC authentication vs Web authentication

    Posted Jan 27, 2015 10:45 AM

    @cappalli

     

    My idenitity store for my credentials is my radius server group.

     

    BR,



  • 14.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:41 AM

    Hi clembo,

     

    Let me check this out and get back to you.

     

    BR,



  • 15.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 08:06 PM
    @clembo wrote:

    If I understand you correctly, you want to do MAC authentication; but if that fails have the user enter credentals on the Captive Portal page.  You claim you have MAC authentication working but webauth is not working when users enter credentials.   Can you verify you have defined your RADIUS server group as the authentication source under your Captive Portal Profile?

     

    aos-cp-rad-group.png

    Yes confirmed that I have correctly defined my radius server group as the authentication source for my captive portal profile.



  • 16.  RE: MAC authentication vs Web authentication

    EMPLOYEE
    Posted Jan 26, 2015 08:09 PM

    So you do have ClearPass? I'm very confused.

     

    Can you post a screenshot of your service list in ClearPass?



  • 17.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 09:42 PM

    Hi cappalli,

     

    Please note I do not have Clearpass.

     

    I have the MAC address cached on an external server to which my radius server group is able to query when checking if the mac credentials are known (stored previously).

     

    BR,



  • 18.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:07 AM
    Hows your page configured? To do a AppAuth , Radius ?


  • 19.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:19 AM

    Hi victorfabian,

     

    Please elaborate on your query - do you mean my CP server page?

     

    BR,



  • 20.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:26 AM

    FYI; I think there is confusion around CP in your setup.

     

    Captive Portal

    or

    ClearPass

     

    I think you said you don't have ClearPass, but are using and external captive portal page.   Please see my suggestion abo e.



  • 21.  RE: MAC authentication vs Web authentication

    Posted Jan 26, 2015 11:42 AM

    Hi clembo,

     

    @clembo wrote:

    FYI; I think there is confusion around CP in your setup.

     

    Captive Portal

    or

    ClearPass

     

    I think you said you don't have ClearPass, but are using and external captive portal page.   Please see my suggestion abo e.

    Yes, by CP I meant Captive Portal.

     

    BR,



  • 22.  RE: MAC authentication vs Web authentication

    EMPLOYEE
    Posted Jan 26, 2015 11:43 AM

    OK. So you dont' have ClearPass.

     

    MAC caching is not possible without ClearPass.