Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

captive portal for wired

This thread has been viewed 7 times

  • 1.  captive portal for wired

    Posted Apr 02, 2019 06:32 AM

    Hello ,

    I have a question . We have common vlan for all devices- Laptops , Printers , cameras and we dont want to create a new vlan considering environment is big


    Now we will enable dot1x and mab as two options on switch level ( in same order) and we want to return captive portal for auth fail .


    When i say captive portal as auth fail , does it mean i have to create a third service called Web Authentication in Clearpass ( the first two are dot1x and MAB)

    there is no separate vlan for captive portal . I have gone through the Aruba Wired guide but i am confused.

    Because in dot1x and mab service , they are returning the captive portal .

    Also , for captive portal - the portal url has to be mentioned in the profile , do we need changes on the switch side also for captive portal - > We dont want to use DUDR or UDR.

     

    Basically i want a workflow , how to achieve it . do we really need 3 services ?  on two services dot1x and mab - if auth fails i can simply return a captive portal ?

     



  • 2.  RE: captive portal for wired

    MVP
    Posted Apr 03, 2019 10:16 AM

    I think I can answer a few of those questions. The reason for 3 services is their are different condiitons that will be met during each authenticatio method. First method is 802.1X so the authentication would be EAP-PEAP or EAP-TLS. Then you have the second method of MAB, which would be authentication method of MAC Auth. You would then have a 3rd authentication which would be Web-auth, so that's why you need the extra service or services depending on what your doing on the captive portal. 

     

    In terms of workflow, it's pretty simple:

     

    Switch will process each type based on order and will take the result based on priority, assuming the priority is default (defaults to using the order as priority) it would be something like this:

     

    Step 1: Device -> Switch -> 802.1X request -> CPPM -> AD Lookup (lets assume this fails)

    Step 2: Device -> Switch -> MAC Auth -> CPPM -> MAC DB Lookup (lets assume this fails and we return captive portal enforcement)

    Step 3: Device -> Switch -> Captive Portal -> CPPM -> Guest Reg or login.

     

    Some switches you can configure the captive portal stuff locally, or you can use CPPM to dynamically push what you need, which is the URL and the dACL forcing access to the captive portal only. Remember the device needs an IP address to get to the captive portal, so the MAC auth will not be a deny access, but an allow with the captive portal enforcement permitting DHCP, DNS, etc.



  • 3.  RE: captive portal for wired

    Posted Jul 19, 2019 06:41 AM

    I am also doing the same.. can we help me with the configuration ????



  • 4.  RE: captive portal for wired

    Posted Nov 26, 2019 07:30 AM

    Hello Michael,

     

    Nice explanation. I have a question, wouldn't MAC auth always fail when a device first comes online on the network (during initial implementation or adding new device to network scenarios) since the MAC is not there in the DB? Whats the fix for that? I know we can go to each request and make the status as KNOWN or add MAC address to the SHL.

    Is there any automation available for this?



  • 5.  RE: captive portal for wired

    MVP
    Posted Nov 26, 2019 08:56 AM
    You can use "allow all macauth" in the authentication methods, which disregards if it exists in the Endpoints Database or not.

    ________________________________

    Please note that if you have received this message in error, you are hereby notified that any dissemination of this communication is strictly prohibited. Please notify me immediately by reply e-Mail and delete all copies of the original message.


  • 6.  RE: captive portal for wired

    Posted Nov 26, 2019 08:59 AM

    Thats correct Michael, but whats the authentication purpose in this scenario then? Everything will get authenticated? Where is access control in this?



  • 7.  RE: captive portal for wired

    MVP
    Posted Nov 26, 2019 09:07 AM
    Everything would be MAC authenticated, but you still have the ability to use role mapping and enforcement profiles for known devices in the endpoints database. You would then use the default profile to return the captive portal information - redirect URL and dACL forcing captive portal. It would be last effort before blocking access altogether. Really just gives the ability to have someone agree to terms of use prior to having guest access on the wire. Other option is just have a guest network / quarantine network that is the failed auth result. You could still have known devices get placed in prod based on what ever device information you want to validate - MAC OUI, Attribute, Etc. You can also include multiple databases, like the guest device database.

    ________________________________

    Please note that if you have received this message in error, you are hereby notified that any dissemination of this communication is strictly prohibited. Please notify me immediately by reply e-Mail and delete all copies of the original message.