Wireless Access

Hi,

I have a new build with an Aruba Central deployment using Clearpass as the Web Portal page to accept Terms and Conditions before being granted internet access. After first login with acceptance of terms, MAC Address authentication applies with no problem. This works without issue.

I have some Cisco Anyconnect users who have an issue though. It seems that when they attempt to connect to the network they cannot connect - Clearpass has the mac address whitelisted as part of the logon and as an approved device. I think the laptops of concern are attempting to connect straight out to terminate their VPN without allowing the connection to the wifi to complete - unless they set captive portal remediation which apparently they don't have the capability to this.

Is there anything that can be done that would allow these specific MAC addresses out without the clearpass level - a new hidden SSID locked to MACs on Aruba Central rather than Clearpass that has a completely open connection but provides DHCP?

Regards

Adrian

Is there any way I can allow devices 

So they are not able to open a browser and try accessing an external site? This should redirect if you are assigning a captive portal. Is DNS allowed for the client prior to the terms acceptance?

------------------------------
Dustin Burns

Lead Mobility Engineer @Worldcom Exchange, Inc.

ACCX 1271| ACMX 509| ACSP | ACDA | MVP Guru 2022-2023
If my post was useful accept solution and/or give kudos
------------------------------

Original Message:
Sent: Jun 19, 2024 05:06 AM
From: southside
Subject: Aruba Central and Clearpass - Cisco Anyconnect Always on

Hi,

I have a new build with an Aruba Central deployment using Clearpass as the Web Portal page to accept Terms and Conditions before being granted internet access. After first login with acceptance of terms, MAC Address authentication applies with no problem. This works without issue.

I have some Cisco Anyconnect users who have an issue though. It seems that when they attempt to connect to the network they cannot connect - Clearpass has the mac address whitelisted as part of the logon and as an approved device. I think the laptops of concern are attempting to connect straight out to terminate their VPN without allowing the connection to the wifi to complete - unless they set captive portal remediation which apparently they don't have the capability to this.

Is there anything that can be done that would allow these specific MAC addresses out without the clearpass level - a new hidden SSID locked to MACs on Aruba Central rather than Clearpass that has a completely open connection but provides DHCP?

Regards

Adrian

Is there any way I can allow devices 

Not sure what is the exact question and what you tried or didn't. Just some ideas or guidance:

With always-on VPNs, it may be that the client cannot be redirected to the captive portal as the client tries to tunnel all traffic over the VPN, which cannot come up as the user would need to authenticate first to the VPN. You mention captive portal remediation, which sounds like a VPN client feature that detects/allows a captive portal when the VPN is not up (or cannot be established).

If these are known clients, you could either allow their MAC addresses (for example by attribute in the endpoint database) direct access, bypassing/exempted from the captive portal. This is done by MAC authentication before the captive portal. Note that more and more operating systems move to randomized MAC addresses, making this solution more or less useful. Other option is to allow the VPN traffic through your captive portal (walled garden, pre-auth role), which would remove the need for users that use this VPN to login to the captive portal, under the assumption that all traffic is tunneled through the VPN.

It may be best to first better understand the problem, than see which of the options is the best in your case.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jun 19, 2024 05:06 AM
From: southside
Subject: Aruba Central and Clearpass - Cisco Anyconnect Always on

Hi,

I have a new build with an Aruba Central deployment using Clearpass as the Web Portal page to accept Terms and Conditions before being granted internet access. After first login with acceptance of terms, MAC Address authentication applies with no problem. This works without issue.

I have some Cisco Anyconnect users who have an issue though. It seems that when they attempt to connect to the network they cannot connect - Clearpass has the mac address whitelisted as part of the logon and as an approved device. I think the laptops of concern are attempting to connect straight out to terminate their VPN without allowing the connection to the wifi to complete - unless they set captive portal remediation which apparently they don't have the capability to this.

Is there anything that can be done that would allow these specific MAC addresses out without the clearpass level - a new hidden SSID locked to MACs on Aruba Central rather than Clearpass that has a completely open connection but provides DHCP?

Regards

Adrian

Is there any way I can allow devices