Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

OPEN SSID MAC AUTH CWP

This thread has been viewed 3 times

  • 1.  OPEN SSID MAC AUTH CWP

    Posted Nov 24, 2018 11:05 PM

    Hello,

     

    I'm working on a design with a OPEN SSID|Mac Auth + CWP.

     

    How can I push clients not yet in the data base to the CWP?

     

    Clearpass keeps punting them even if I toss in some default roles+policies.

     

    FYI clients in the mac database work fine obviously. I just want client who are not yet in the DB to be able to access the CWP.

     

    Error Code:
    216
    Error Category:
    Authentication failure
    Error Message:
    User authentication failed
     Alerts for this Request 
    RADIUS[Endpoints Repository] - localhost: User not found.
    MAC-AUTH: MAC Authentication attempted by unknown client, rejected.

     

    Thanks!



  • 2.  RE: OPEN SSID MAC AUTH CWP
    Best Answer

    EMPLOYEE
    Posted Nov 24, 2018 11:10 PM
    You should be using Allow All MAC Auth and returning the captive portal role enforcement.


  • 3.  RE: OPEN SSID MAC AUTH CWP

    Posted Nov 24, 2018 11:23 PM

    Nice thanks for the quick reply Tim!

     

    It solved the problem however it broke my design :\ 

     

    Here's the super high level design.

     

    Open SSID for Self Device Reg.

    CWP->Domain Cred auth form->Automatically registers the Users device and marks it as "known". If the device logs in later on it's now cached and they don't have the CWP applied. 

     

    If I do Allow All Mac all users are now redirected to CWP whether they're in the db or not and fall into the registration role. :\

     

    I especially want this design for when open ssid encryption comes around.

     



  • 4.  RE: OPEN SSID MAC AUTH CWP

    Posted Nov 24, 2018 11:48 PM

    Not to get into the weeds with the design but I'm trying to avoid going into the whole clearpass self registration portal. Manual creation etc. I'm going for a quick device reg for byod with device tracking based on AD creds. I'm trying to make the students device registration super simple.



  • 5.  RE: OPEN SSID MAC AUTH CWP

    Posted Nov 24, 2018 11:49 PM

    With ONE SSID to do it all :D Works with a One registration SSID and a Mac auth SSID



  • 6.  RE: OPEN SSID MAC AUTH CWP

    Posted Nov 25, 2018 12:09 AM

    Did the trick..Just needed to prevent Apple's CWP. Policy was still being pushed out properly.