Security

We have a sponsored guest access solution set up, for users connecting to both Cisco 5508 WLCs and Cisco 3850 converged access systems. When the user is connecting via a WLC, everything works fine.

When the user is connecting via a 3850 based site, the access gets rejected; with the following message:

Gym Machines SHL: Client not found or not a MAC authentication request
[Endpoints Repository] - localhost: User not found.
MAC-AUTH: MAC Authentication attempted by unknown client, rejected.

The user is able to fill out the sponsor request, it gets authorized by the sponsor, and the user receives the user-id and password. When you put in the user-id and password, it fails and the user gets a URL with a 1.1.1.1 address.

The user's smartphone/laptop is associated with the SSID at this point.

Not sure what to look at to figure out why the client is unknown, as I'm new to Clearpass.

I've tried various things on the web, but nothing seems to help, or change the response.

Thanks

The wired MAC address is likely unknown because it hasn't been seen before.
You can change the authentication method to AllowAll MAC-Auth and the change
your policy to return a captive portal URL if the device is unknown.

Sorry, not clear in initial post, this is for wireless access.

The Clearpass issues the user-id and password that is e-mailed to the client after they connect to the SSID, so it must have seen the device before. I was also trying all afternoon, for several afternoons to connect. Perhaps I'm misunderstanding here.

 

The same rule set works fine when the user is connecting via a Cisco 5508 WLC based access point, so I think there is some difference with the 3850 converged access based access points, probably in my configuration. I can't change the rule set without a lot of evidence that I need to do so.

 

Is there a way to see what MAC addresses for devices that the Clearpass knows about, and when they are added/removed from the database?

Thanks