Security

Hi Experts,

 

I am trying to configure a self sponsored captive portal solution where a user verifies their email. Its on a v6 controller and clearpass. I have configured the exact same solution twice before with v8 MM/MC and clearpass and it worked fine. The issue i am seeing is that reauthentication is not working on the controller. It is neither re-authenticating after the session times out or when it drops back to captive portal role (it should reauthenticate because of registration-role paramater)

 

Basically a user creates an account with an expiration of 5 minutes (initially). That generates an auth request which receives the following attributes from clearpass.

 

Role = Preauth_role

Session-timeout = 300

Termination-action = Radius-request (1)

 

They receive an email to sponsor themselves and extend that to 7 days. 

 

After the session times out a new mac-auth request SHOULD be generated. That auth requests hits the mac auth service in clearpass which verifies that the user has sponsored themselves and clearpass responds with a different role. However that mac-auth is not happening, instead after the timeout the client just drops back to captive portal role and doesn't attempt a mac auth request. I would also expect a reauthentication to occur when the user drop back to captive portal role because of the registration-role paramater that is configured, this also doesn't work .

 

I think I might confuse things by copying my entire captive portal clearpass/controller config in. Everything is working except the reauthentication which should happen after the radius attributes above are sent to the controller.

 

I have a TAC case open with this the past few days but it isn't progressing anywhere fast. Any advice on this really appreciated. This seems like it should be a very basic fundamental feature but it is not working no matter how it is poked. I have come across a few other threads on airheads with similar problems but found none with valid solutions.

 

Thanks in advance

Did you enable to Use Server provided Reauthentication Interval to allow re-authentication to be assigned via the authentication server under the L2 Authentication > Mac authentication profile ?



Thank you

Victor Fabian

Pardon typos sent from Mobile

Hi Victor,

 

I did indeed. Screenshot of profile attached

 

Cheers

If you run the show user ip can you see the reauth interval assigned ?



Thank you

Victor Fabian

Pardon typos sent from Mobile

This is the output when the user has been enforced a role/session timeout (60 seconds) from clearpass but before the session has timed-out. 

 

(GLA-C205-WCNTLR-016) # show user-table ip 10.216.56.92 | include reauth
Role: preauth-guest (how: ROLE_DERIVATION_L3_ARUBA_VSA), ACL: 80/0
phy_type: a-VHT-40, l3 reauth: 60, BW Contract: up:0 down:0, user-how: 14
Timers: L3 reauth 60, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0

 

This is the output when the user has timed out and dropped back to captive portal. Note I would of expected a mac-auth to have happened here

 

(GLA-C205-WCNTLR-016) # show user-table ip 10.216.56.92 | include reauth
phy_type: a-VHT-40, l3 reauth: 600, BW Contract: up:0 down:0, user-how: 14
Timers: L3 reauth 600, mac reauth 0 (Reason: ), dot1x reauth 0 (Reason: )
Number of reauthentication attempts: mac reauth 0, dot1x reauth 0

Hi,

 

Has anybody ideas here?

This seems like a very basic request but as mentioned is stumping TAC and myself.

 

How is the device landing on the captive portal initially ? is it based on mac authentication ?
Please explain the workflow

Hi Victor,

 

Thanks for getting back.

 

The user joins the SSID, they will attempt a Mac Auth request which will be rejected. They will be kicked to a captive portal page, create a guest account after which they will generate a standard auth request which will be accepted. the enforcement profile from the Clearpass service pushes a new role and a session-timout of 300 seconds (currently using 60 seconds for testing). During that time the user should sponsors themselves and creates a guest account. After the session timeout a mac auth request should happen which will verify whether or not the user has validated their email. In practice this macauth is not working. If the user has successfully sponsored themselves they are given a new role.

 

Please don't get bogged down in what is a complex workflow, that is exactly what TAC are doing.

 

The specific problem I am asking about is very straightforward. Clearpass sends a session-timeout. The controller is accepting that timeout for the client (I know this because the user drops back to captive portal role after the timeout, also reauthentication timers match the session timeout) but upon timeout a mac authentication request is not generated. Without this reauthentication the solution cant work.

 

 

Try the following :

- Add "Allow All Mac Auth" as the authentication method

- Add a catch all rule to your policy that will return the captive portal role and also assign the session-timeout 

 

Hi Victor,

 

Thanks for the suggestion however that doesn't do anything for my solution. The user needs to be assigned the timeout from the user-auth service after they have created a guest account and been pushed a role.

 

Giving the user a timeout when they are in captive portal role wouldnt provide any benefit.

 

TAC suggested the  attached, basically a COA after x minutes. This partially works in that a mac auth request is generated but the controller doesn't seem to adhere to the duration in the policy. It performs a COA anywhere from 20 seconds to 7 minutes Very strange behaviour.

 

Any other suggestions welcome.

 

Thanks

Ahh I see…I have the same workflow working in my lab, you could still return the captive portal role using the Allow All Mac authentication method.
Give that a shot if you can see if that works

Sent from Mail for Windows 10