Security

Upcoming community maintenance Oct. 27th through Oct. 29th
For more info click here
Reply
Highlighted
MVP Expert

Re: WLC and Clearpass MAC authentication

Did you created the Mac caching services using the templates ?

Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Highlighted
All-Decade MVP 2020

Re: WLC and Clearpass MAC authentication

Yes.

Andrea
Highlighted
Trusted Contributor I

Re: WLC and Clearpass MAC authentication

i would double check the Cisco WLC config, are you sure the MAC auth section is enabled. if you are sure try to confirm this with a packet capture. if it is just not send then this is a Cisco WLC issue and you could probably better check with their forum / support.

Highlighted
MVP

Re: WLC and Clearpass MAC authentication

What version of CP are you on? Earlier versions of CP ignores requests and didn't show them in Access Tracker, but in 6.4 you will find them there as long as something is received from the Controller.

Format of the MAC-address sent from the controller doest matter, unless you are specifically testing for something like "client-mac-address-dash".. I believe Clearpass normalizes before using it in the sql check towards endpoint db.

A thing to check..
There is a dropdown on the Cisco WLC (I think under Security/Mac-"something") that defaults to client ip-address. Change that to "Client mac-address".

If you post some screenshots of your configuration on both the WLC and CP we should be able to narrow it down more.

I'm working with the exact same setup these days so if you're unable to get it working I can post some more details with screenshots if needed.

Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
Frequent Contributor II

Re: WLC and Clearpass MAC authentication

Andrea,

What do you have set as your authentication sources?
You need to allow all Mac address if this is for an open said.

Highlighted
MVP

Re: WLC and Clearpass MAC authentication

 

Security -> AAA / MAC Filtering. Radius Compatibility Mode.

  -> Set this to Cisco ACS

 

Security -> AAA / Radius -> Authentication -> Call Station ID Type

  -> Set this to "System MAC Address"

 

 


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Highlighted
All-Decade MVP 2020

Re: WLC and Clearpass MAC authentication

Hello,

i'm using a clearpass 6.3.5.

On the WLC i think that is all correct, i have followed a tech-guide released by aruba.

 

Unfortunately today i'dont have access to clearpass, but  If you can give me some screenshot of your configuration i can do a check with mine configuration, because i remember how it is configured.

 

Best regards

Andrea Acampa

Andrea
Highlighted
New Contributor

Re: WLC and Clearpass MAC authentication

Hi John,

about:

 

Security -> AAA / Radius -> Authentication -> Call Station ID Type

  -> Set this to "System MAC Address"

 

there is "Call Station ID Type 1" and "Call Station ID Type"

 

i also see on the option: "MAC Delimiter" they use "Colon"

 

am i ok?

regards.