Security

Reply
Occasional Contributor II

Wired Guest Access

Hello everyone !

 

 

A custumer wants that users do 802.1X authentication on the wired access with clearpass.

 

If the 802.1X authrentication doesn't work ( for a guest user for example), then the user is redirected to the ClearPass captive portal.

 

Can someone please explain to me how can I do that ? 

 

Thank's all for your help !

 

 

 

 

Guru Elite

Re: Wired Guest Access

Did you look at the ClearPass Solution Guide for Wired Policy Enforcement?

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Occasional Contributor II

Re: Wired Guest Access

Hello !

 

Thank you very much for your reply.

 

I read some parts of it. I found how to do 802.1X with wired access. i found how to do captive portal with the wired access.


But I don't know how the fallback mechanism works : if 802.1X doesn't success, so we perform web auth...

Guru Elite

Re: Wired Guest Access

It’s all on the switch side.

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
MVP

Re: Wired Guest Access

What kind of switches do you use?

 

For Cisco you can do something like this:

interface GigabitEthernet1/0/35
 switchport access vlan 100
 switchport mode access
 authentication host-mode multi-domain
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication timer reauthenticate server
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 dot1x timeout supp-timeout 15
 dot1x max-reauth-req 1
 spanning-tree portfast
!

MAB is the key there - as it's mac address bypass - which in essence is mac-auth.. So on failed dot1x it will do mab, and here you will return the attributes from Clearpass which triggers the redirect-acl. Once redirected and authenticated, you use Radius CoA to change the ACL for the client.


Regards
John Solberg

-ACMX #316 :: ACCX #902 :: ACSA
Aruba Partner Ambassador
Intelecom/NetNordic - Norway
----------------------------
Remember to Kudo if a post helped you! || Problem Solved? Click "Accept as Solution" in a post!
Contributor I

Re: Wired Guest Access

If you use aruba switches you can send an enforcement profile on authentication failure with the captive portal URL (based on HPE VSA's):

 

Radius:Hewlett-Packard-Enterprise
HPE-Captive-Portal-URL (24)
http://<cppm-server>/guest/<guest-page>.php

 

Be sure to enable captive portal in the switch.

 

Also a couple of downloadable ACL's are required to block all traffic except dns, dhcp and 80/443 to clearpass.

----------------------------------------------------------------------------------------
Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE
Occasional Contributor II

Re: Wired Guest Access

Thank you all for your answer !

 

The custumer have Extreme switches. I looked for documentation but I didn't find anything yet.

Highlighted
Guru Elite

Re: Wired Guest Access

If only there was a doc that covered this step by step ;)

| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: