Security

Hi there,

 

I have a few issue and hope one of you guys could guide me. I have setup a lab and to start with I have setup a basic MAC Auth service along with web auth for captive portal redirect.

 

1. In access tracker, I do not see Machine Authenticated role for the request even after logg off-log on and restart pc. This is a domain PC. I only see user authenticated role. What could be the issue here? I have attached the input from auth request.

 

2. The web portal redirect is not working. The mac auth sends a profile to redirect to captive portal but it doesnt happen. When I do the manual web auth, it hits the web auth service but again when web auth sends a radius COA, it doesnt hit back to MAC auth to get the guest profile and gets stuck in mac auth. In login page, I have tried both Cisco and captive portal with clearpass in vendor settings, both with same result.

 

I am not sure if my ACL is wrong or it has something to do with my Cisco switch running 15.2. attached is switch configuration and access tracker outputs.

 

Thanks,

For the record, I have not enabled 802.1x as I am testing only mac auth. The idea is to give allow access profile for machine authenticated role and guest profile through captive portal redirect for non domain PC

If you haven't enabled 802.1x, you cannot get the machine authenticated role.  The machine authenticated role appears when a devices authenticates with a host/<machine name> username.  There is no other way to know if a device has machine authenticated.

Dear Cjoseph,

 

Thanks for the reply. I enabled dot1x on my laptop. I see machine authentication request hitting clearpass but its getting rejected. Still its getting mac authenticated by mac address as user name so it gets user authenticated but no machine authenticated role.

 

Do I need to create a service for 802.1x wired for getting machine authenticated role? MAC Auth alone doesnt support this? 

It looks like you do not have a service setup to handle 802.1x authentication. Have you seen the ClearPass wired policy enforcement technote here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/33093/Default.aspx  ?

Yes I have read the document.

 

I have not setup the 802.1x service yet. As I told as of now I am only testing mac auth and captive portal redirect for guests.

 

I was actually troubleshooting for captive portal redirect issue when I came across this machine authentication role not being fetched. For this particular problem, just for my knowledge I want to know if machine authentication role can be fetched using mac auth only? Or it can only be done through dot1x service? 

---

@cjoseph wrote:

It looks like you do not have a service setup to handle 802.1x authentication. Have you seen the ClearPass wired policy enforcement technote here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/33093/Default.aspx  ?

---

 

For a device to be classified as machine authenticated, it must successfully authenticate via 802.1x with a username of host/<machine name>.  It does not work for mac authentication.

Thanks man. Got it.

 

Could you please look my switch configuration and clearpass config screenshots to guide me why the redirect is not working? Clearpass sends the redirect profile to switch but nothing happens...PC gets normal network access...

 

When I manually do the web authentication, it works fine and hits the web auth service that I created. I have followed all guides and discussion here but dont seem to resolve this issue.

For the Cisco switch, you need an SVI to be on the same subnet as the Clearpass server, which in your case is on 192.168.1.x

The web-redirect won't work over L3.

I have interface vlan 1 in that range with ip 192.168.1.11. Before it was through dhcp but now I made it static.

I got the redirect working....The ACL syntax had some issue....Now the problem is, I am trying to send vlan enforcement for guest in MAC auth (after web auth and bounce session), the output shows vlan profile being sent but its not taking effect. Attached is the access tracker logs for service hits and profile returned...

 

Thanks,

Access Tracker output

A web auth (captive portal) is a layer 3 authentication ie., it happens after getting an IP address. When u push a VLAN after web auth using MAC auth (!!!), I think you need to check by doing a iprenew (CMD --> Ipconfig/renew) on the client device after web auth, to check if it works, since the client would release and renew the IP. 

 

It is not recommended to use a MAC auth (L2 authentication) after a web auth (L3 Authentication which happens after getting IP), is there a specific reason to do this ?? 

I have setup a guest mac auth with caprtive portal redirect to get guest information. The guest when connect, first hit the mac auth service where they get redirected to the captive Portal and after web auth, they get a session termination and again they hit the mac auth service with guest access (guest vlan) profile.

 

Is there any better way to make this happen?