Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Server Initiated without MAC Caching

This thread has been viewed 5 times

  • 1.  Server Initiated without MAC Caching

    Posted Feb 24, 2020 04:22 AM

    Dear Experts, 

     

    I have already gone through the technote (dated 2014) on how to configure server initiated logins. I just want to know the following

    I am using CPPM 6.7.11 and Instant 8.6.0.2

     

    1) is it mandatory to use mac caching with server initiated logins?

    2) If not, can someone help to understand when CPPM sends the Radius CoA to instant, how does instant knows which credentials to send back to CPPM as part of radius response

     

    I am a bit lost here, if someone can guide me through the steps?



  • 2.  RE: Server Initiated without MAC Caching

    EMPLOYEE
    Posted Feb 24, 2020 06:55 AM

    1. ClearPass uses the mac authentication service to send CoA to Instant using NAS-IP address. It is mandatory to have Radius service for Server Initiated login. You can use CoA to disconnect the user or change the user-role.

    2. In the Server Initiated login, Client directly post the credentials to ClearPass server while login. So Instant will not involve in the login process.

     



  • 3.  RE: Server Initiated without MAC Caching

    Posted Feb 24, 2020 07:01 AM
    Thanks James,

    I can understand that Radius service is required, but what about mac
    authentication, is it also required or we can have successful
    server-initiated without involving mac authentication?


  • 4.  RE: Server Initiated without MAC Caching

    EMPLOYEE
    Posted Feb 24, 2020 07:11 AM

    For Server Initiated captive portal, we required two services.

    1. Radius service (For MAC Authentication).

    2. Webauth Service (For Guest login).

     

    In Server Initiated, you need use Webauth service instead of MAC Caching service.



  • 5.  RE: Server Initiated without MAC Caching

    Posted Feb 24, 2020 07:14 AM
    So mac authentication is mandatory? we cannot do server-initiated without
    mac auth right?


  • 6.  RE: Server Initiated without MAC Caching
    Best Answer

    EMPLOYEE
    Posted Feb 24, 2020 07:15 AM

    Yes MAC Authentication Service (Radius) is mandatory. 

     

    Regards,

    James Immanuvel L.



  • 7.  RE: Server Initiated without MAC Caching

    Posted Feb 24, 2020 07:26 AM
    Oh ok, thanks James,

    Apart from the old technote, is there any other article or resource that
    explains this service a bit better?


  • 8.  RE: Server Initiated without MAC Caching

    EMPLOYEE
    Posted Mar 02, 2020 09:59 AM

    Hi Ronin,

     

    You can check the below article to understand Server-Initiated method.

    https://afp.arubanetworks.com/afp/index.php/Cisco_Wired_Guest_for_ClearPass_6.2.1_and_greater

     

    This article mainly for Cisco switch so some of the configurations are related to Cisco captive portal configuration. However, you can refer this document to understand the workflow. 



  • 9.  RE: Server Initiated without MAC Caching

    Posted Mar 02, 2020 10:29 AM
    Thanks James,

    Let me have a look at it, will post my findings