Security

Reply
Highlighted
Contributor I

Unable to update Endpoint attributes after Guest web login

Hello all,

 

I have a deployment currently running on 6.5.6 with Wireless Guest on a Cisco WLC 8000 series separated by L3.

 

Mac filter failure to the captive portal sign-in page is great. Users can sign in and browse, no problem. The issue I'm having is on post authentication when applying the Mac caching attributes to update the Mac-Auth Expiry attribute on the endpoint after they've logged in. Long story short, it doesn't update with any attributes, and so Mac caching is not functioning as intended.

 

Access Tracker entries show the end host identifier as an IP address, not a MAC address like I'm used to seeing. The input tab does not show any mac address details for the client endpoint.

 

I'm not sure how to go about updating these attributes. Can I update Mac-Auth Expiry through the post authentication/customize endpoint attributes on the web login page? I'd have to create a field for Mac-Auth Expiry at that point. If that's the way, how would I go about it?

 

Please see attached screenshots for more information. Happy to provide any more information if needed.

 

Thanks,

Tim


Accepted Solutions
Highlighted
Contributor I

Re: Unable to update Endpoint attributes after Guest web login

Hi guys,

 

Finally back on site for with a fresh mind for another round, making some headway this time...

 

Not sure if I was asleep or just not paying attention when I initially set it up. I had a RADIUS auth service set for the web login page that handled the request coming from the WLC, but that information did not include any MAC address information with it. I had pre-auth check set to none.

 

Once I configured the pre-auth check for RADIUS and created a new service to handle it I was able to successfully use my post authentication enforcements on the endpoint, changes were reflected properly in the endpoing DB.

 

The other issue that threw me for a loop is my captive portal assistant wasn't behaving properly on my Pixel. It would load the CP, I would log in and it would attempt to post the creds, but fail and then immediately reload the CP page in Chrome where it would then work properly.

 

When I bypassed the CP assistant on the Pixel and just went straight to Chrome, it was successful on the first attempt.

 

MAC caching is also verified functioning correctly.

 

Thanks for the help and sanity checking my config guys. Got 'er beat!

 

Tim Friesen

ACMP/ACCP/CWNA/CWSP

View solution in original post


All Replies
Highlighted
MVP Expert

Re: Unable to update Endpoint attributes after Guest web login

Can you please share the output tab from Access Tracker as well?

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor I

Re: Unable to update Endpoint attributes after Guest web login

Hi Victor,

 

I've updated the original post with the screenshot requested.

 

Thank you,

 

Tim

Highlighted
MVP Expert

Re: Unable to update Endpoint attributes after Guest web login

Can you please share how are you redirecting the user to the captive portal page ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
MVP Expert

Re: Unable to update Endpoint attributes after Guest web login

Can you please share how are you redirecting the user to the captive portal page ?

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor I

Re: Unable to update Endpoint attributes after Guest web login

Mac filtering enabled on the SSID, on MAC filter failure redirect to captive portal web page.

 

Also of note, I do not have administrative access to the WLC. It is owned by another party, and wireless services are provided through a contract setup.

Highlighted
MVP Expert

Re: Unable to update Endpoint attributes after Guest web login

Do you see the client MAC address in the browser when redirected ?

Also take a look at the Input tab > Computed attributes and see if the MAC address shows up.

If not you want to use this :
https:///guest/guest_page.php?mac=%{Connection:Client-Mac-Address-Colon}

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
MVP Expert

Re: Unable to update Endpoint attributes after Guest web login

Do you see the client MAC address in the browser when redirected ?

Also take a look at the Input tab > Computed attributes and see if the MAC address shows up.

If not you want to use this :
https:///guest/guest_page.php?mac=%{Connection:Client-Mac-Address-Colon}

Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
Contributor I

Re: Unable to update Endpoint attributes after Guest web login

Hi Victor,

 

Yes, I do see the mac address in the browser URL when redirected.

 

The client mac address is not present in the input -> computed attributes on the access tracker entry.

 

To clarify on the URL you provided, is that what I should be asking the WLC admin to update on the captive portal redirect URL?

 

Thanks!

 

Tim Friesen

ACCP/ACMP/CWNA/CWSP

Highlighted
MVP Expert

Re: Unable to update Endpoint attributes after Guest web login

If the mac address is showing then no need to make changes on the WLC.

The config looks good.

What version are you running ?
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: