Security

I have a number of devices that need to connect to my guest wireless network that dont use captive portal (clearpass 6.2). Theres not a large number so mac auth is feasible. For a variety or reasons I cant use another ssid and cabling isnt an option.

 

What I need to achieve is mac auth for those devices, but captive portal for everything else.

 

After a quick tinker, I dont think the default mac auth with instant is going to work as the mac becomes the username and the remaining clients fail captive portal services.

Ive also had a quick go with connection:client-mac-address (sorry thats from memory) and radius:ietf-calling-station-id but I dont seem to get a match in access tracker.

 

Anyone done something similar and can point me in the right direction?

In the service template use the guest Mac auth with Mac caching and then you can use the device repository as an auth source along with the guest user repository.

Then you can registered those devices in the guest manger under create a device.

Is there a way to not cache the guest users? Or at least present them with a login page? The use of the captive portal page is quite important in this solution

Set the cache settting to the same as the lifetime of the account in guest.

Or you can remove the guest user part of the service and only allow the device reg only in the auth source

Perhaps I could use a static list instead of the device repository which guests will never match... might test that tomorrow

All sorted, I did have it the way you described and it is working now, I just had a browser that was getting stuck during the captive portal process. Binned the device, got a new one and it works.

Thanks!