Security

Hello everyone,

I have read and tested MAC Caching in ClearPass in order to ClearPass learn the MAC address of clients and to avoid they authenticate every time they connect to a guest network if they were already connected to it. In adittion to create the appropriate service in ClearPass, it is also necessary to enable MAC authentication on the controller, but why? I mean, all the authentication and learning of the MAC address takes place in ClearPass, and regardless of MAC authentication is enabled on the controller, the client MAC address is sent to ClearPass when the user connects to the network within the "Radius:IETF:Calling-Station-Id" field, which is enough for ClearPass to check if the client was before already connected to the guest network or not.

Then, why to enable MAC authentication on the controller for this feature to work? Or what does this feature do in the controller? I have read on the controller guide but there is only explanation of how to enable it and not what does...

Regards,

Julián

MAC caching prevents someone who still has a valid account from getting the captive portal. It's also used for the same purpose with device registration.

The result of the MAC authentication says whether the user should be redirected to a captive portal or sent to their final state.

Hi Tim,

Yes, I know that background I have tested as well. But what I don't understand is why I have to enable MAC authentication on the controller as well? Or in other words, why doesn't MAC caching work if MAC authentication is disabled on the controller?

Regards,

Julián

In order for ClearPass to perform a MAC authentication, the controller must send a MAC authentication request.

Thanks, one more question. I have these two rules in my MAC Authentication service:

I understand the second rule, but what does the first rule mean? What's the meaning of the "%{}" operators under the Value column?

Regards,

Julián

The username should be the client's MAC address.