Security

Hi, we configured a captive portal guest WLAN. Is there anyway that MAC authentication to be used in the same time, such that failed MAC authentication users still having the chance to get authenticated via Captive Portal.

 

I know that user derivation rules can be created so that certain MACs are asigned to an authenticate role, so that they can bypass the captive portal, but we experienced some random behaviour whith users that own the bypassed MAC addresses. How can I properly configure that? and verfity that my rule has been applied to the specfic MAC?

That is a common situation. What you need to do is configure MAC authentication for your guest SSID. If the authentication fails (RADIUS Reject), the default role (captive portal) will be applied. If the authentication succeeds (known MAC), you can send a role+VLAN of your choice. You can even return the captive portal role with a successful authentication which happens in the case of MAC Caching.

 

If you have ClearPass, there is a wizard for Guest Access with MAC caching to get you started. The same can be done with another RADIUS server or even the internal user database.

I did that, configured my internal database with a couple of MACs as usernames and passwords, then associated my authentication server group to the max authentication profile inside my aaa profile.

Clients who succeed in MAC authentication are fine, but those who fail seem not to be assigned the captive portal role, and I don't know how to configure failed MAC authenticated clients to get a specific role so that they are still allowed to be redirected to the captive portal.