Security

Reply
Frequent Contributor I

OPEN SSID MAC AUTH CWP

Hello,

 

I'm working on a design with a OPEN SSID|Mac Auth + CWP.

 

How can I push clients not yet in the data base to the CWP?

 

Clearpass keeps punting them even if I toss in some default roles+policies.

 

FYI clients in the mac database work fine obviously. I just want client who are not yet in the DB to be able to access the CWP.

 

Error Code:
216
Error Category:
Authentication failure
Error Message:
User authentication failed
 Alerts for this Request 
RADIUS[Endpoints Repository] - localhost: User not found.
MAC-AUTH: MAC Authentication attempted by unknown client, rejected.

 

Thanks!

Guru Elite

Re: OPEN SSID MAC AUTH CWP

You should be using Allow All MAC Auth and returning the captive portal role enforcement.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Frequent Contributor I

Re: OPEN SSID MAC AUTH CWP

Nice thanks for the quick reply Tim!

 

It solved the problem however it broke my design :\ 

 

Here's the super high level design.

 

Open SSID for Self Device Reg.

CWP->Domain Cred auth form->Automatically registers the Users device and marks it as "known". If the device logs in later on it's now cached and they don't have the CWP applied. 

 

If I do Allow All Mac all users are now redirected to CWP whether they're in the db or not and fall into the registration role. :\

 

I especially want this design for when open ssid encryption comes around.

 

Frequent Contributor I

Re: OPEN SSID MAC AUTH CWP

Not to get into the weeds with the design but I'm trying to avoid going into the whole clearpass self registration portal. Manual creation etc. I'm going for a quick device reg for byod with device tracking based on AD creds. I'm trying to make the students device registration super simple.

Frequent Contributor I

Re: OPEN SSID MAC AUTH CWP

With ONE SSID to do it all :D Works with a One registration SSID and a Mac auth SSID

Frequent Contributor I

Re: OPEN SSID MAC AUTH CWP

Did the trick..Just needed to prevent Apple's CWP. Policy was still being pushed out properly.

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: