Security

Hello,

Endpoints connecting to the Guest internet on our Cisco WLC are not getting attributes added to the endpoint whenever they authenticate through a Portal we have set up on CPPM. I can manually set the attributes and make it a known endpoint to access the internet from Guest WiFi, but it needs to be done automatically to support our userbase.

The attributes I wanted added after a user authenticates through the portal are:

Updating the Endpoint as Known

Allow-Guest-Internet = true

AccountEnabled = true

AccountExpired = false

Thanks. I imagine there is more information that I will need to provide, I am just not certain exactly what is needed. I am still pretty new to Clearpass.

Hi

Can you provide screenshots of the configuration of the guest authentication services you have configured?

The attributes should be assigned by enforcement profiles of the type ClearPass Endpoint Update Enforcement that are applied when the guest signs in to the captive portal.

The two attributes AccountEnabled and AccountExpired are values from the Guest Device Repository.

In the Service for guest logon you have to have the Guest Device Repository as one of the authentication sources if you would like the guests to be able to register for a guest account and log in. You also need to add [Time Source] as an Authorization source to the service. Otherwise time staps will not be written correctly.

If you utilize the service template for Guest Authentication with MAC Caching and create the two services, you will also get the enforcement profiles that will write the needed information to the Endpoints Repository, and a role mapping policy utilizing the information in the Guest Device repository.

Hello,

Endpoints connecting to the Guest internet on our Cisco WLC are not getting attributes added to the endpoint whenever they authenticate through a Portal we have set up on CPPM. I can manually set the attributes and make it a known endpoint to access the internet from Guest WiFi, but it needs to be done automatically to support our userbase.

The attributes I wanted added after a user authenticates through the portal are:

Updating the Endpoint as Known

Allow-Guest-Internet = true

AccountEnabled = true

AccountExpired = false

Thanks. I imagine there is more information that I will need to provide, I am just not certain exactly what is needed. I am still pretty new to Clearpass.

Looks like Guest User & Device Repository is already set as an Authentication Source.

We have the service for Guest Authentication with MAC Caching as well, with Endpoints Repository and a role mapping policy. Uncertain if the role mapping policy is using Guest Device Repository, so I'll upload a screenshot of that Role Mapping Policy below.

Hi

Can you provide screenshots of the configuration of the guest authentication services you have configured?

The attributes should be assigned by enforcement profiles of the type ClearPass Endpoint Update Enforcement that are applied when the guest signs in to the captive portal.

The two attributes AccountEnabled and AccountExpired are values from the Guest Device Repository.

In the Service for guest logon you have to have the Guest Device Repository as one of the authentication sources if you would like the guests to be able to register for a guest account and log in. You also need to add [Time Source] as an Authorization source to the service. Otherwise time staps will not be written correctly.

If you utilize the service template for Guest Authentication with MAC Caching and create the two services, you will also get the enforcement profiles that will write the needed information to the Endpoints Repository, and a role mapping policy utilizing the information in the Guest Device repository.

Hello,

Endpoints connecting to the Guest internet on our Cisco WLC are not getting attributes added to the endpoint whenever they authenticate through a Portal we have set up on CPPM. I can manually set the attributes and make it a known endpoint to access the internet from Guest WiFi, but it needs to be done automatically to support our userbase.

The attributes I wanted added after a user authenticates through the portal are:

Updating the Endpoint as Known

Allow-Guest-Internet = true

AccountEnabled = true

AccountExpired = false

Thanks. I imagine there is more information that I will need to provide, I am just not certain exactly what is needed. I am still pretty new to Clearpass.

Your MAC auth service shouldn't be setting any attributes on the endpoint since the MAC auth service is trying to read those attributes.  You need to share the enforcement tab from the Test User Authentication with MAC Caching service.  There should be a condition similar to my screenshot, that includes a policy that tags the attributes.  Need to make sure that the source of the data ([Time Source] when talking about a timestamp) is included as an authorization source.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 28, 2024 03:55 PM
From: mccoyjac
Subject: ClearPass Attributes not getting added to endpoint after going through portal redirect

Looks like Guest User & Device Repository is already set as an Authentication Source.

We have the service for Guest Authentication with MAC Caching as well, with Endpoints Repository and a role mapping policy. Uncertain if the role mapping policy is using Guest Device Repository, so I'll upload a screenshot of that Role Mapping Policy below.

Original Message:
Sent: Mar 28, 2024 03:10 PM
From: jonas.hammarback
Subject: ClearPass Attributes not getting added to endpoint after going through portal redirect

Hi

Can you provide screenshots of the configuration of the guest authentication services you have configured?

The attributes should be assigned by enforcement profiles of the type ClearPass Endpoint Update Enforcement that are applied when the guest signs in to the captive portal.

The two attributes AccountEnabled and AccountExpired are values from the Guest Device Repository.

In the Service for guest logon you have to have the Guest Device Repository as one of the authentication sources if you would like the guests to be able to register for a guest account and log in. You also need to add [Time Source] as an Authorization source to the service. Otherwise time staps will not be written correctly.

If you utilize the service template for Guest Authentication with MAC Caching and create the two services, you will also get the enforcement profiles that will write the needed information to the Endpoints Repository, and a role mapping policy utilizing the information in the Guest Device repository.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 27, 2024 02:48 PM
From: mccoyjac
Subject: ClearPass Attributes not getting added to endpoint after going through portal redirect

Hello,

Endpoints connecting to the Guest internet on our Cisco WLC are not getting attributes added to the endpoint whenever they authenticate through a Portal we have set up on CPPM. I can manually set the attributes and make it a known endpoint to access the internet from Guest WiFi, but it needs to be done automatically to support our userbase.

The attributes I wanted added after a user authenticates through the portal are:

Updating the Endpoint as Known

Allow-Guest-Internet = true

AccountEnabled = true

AccountExpired = false

Thanks. I imagine there is more information that I will need to provide, I am just not certain exactly what is needed. I am still pretty new to Clearpass.

Here is the Enforcement tab of my User Auth with MAC Caching service

EDIT: I updated the Enforcement Policy in that service to include the Make-Cisco-Guest-Valid profile, that should add the Allow-Guest-Internet = true attribute to endpoints 

EDIT2: Guest Wireless is now working. It looks like we already had an Enforcement Profile in place with Test User Authentication with MAC Caching Enforcement Policy to update endpoint known and apply the created Attribute, I just overlooked it. It can be found in the Test Guest Profile enforcement profile that is applied to the above stated Service. The real issue I was having seemed to be a mismatch with the SSID I had in both running services to what was actually being broadcast. i.e., COMPANY-GUEST1 vs COMPANY-GUEST, when the latter was the correct SSID that was being broadcasted. I also adjusted the order of the services to where Test User Auth...is first, before Test MAC Authentication.

Original Message:
Sent: Mar 28, 2024 08:09 PM
From: chulcher
Subject: ClearPass Attributes not getting added to endpoint after going through portal redirect

Your MAC auth service shouldn't be setting any attributes on the endpoint since the MAC auth service is trying to read those attributes.  You need to share the enforcement tab from the Test User Authentication with MAC Caching service.  There should be a condition similar to my screenshot, that includes a policy that tags the attributes.  Need to make sure that the source of the data ([Time Source] when talking about a timestamp) is included as an authorization source.

------------------------------
Carson Hulcher, ACEX#110

Original Message:
Sent: Mar 28, 2024 03:55 PM
From: mccoyjac
Subject: ClearPass Attributes not getting added to endpoint after going through portal redirect

Looks like Guest User & Device Repository is already set as an Authentication Source.

We have the service for Guest Authentication with MAC Caching as well, with Endpoints Repository and a role mapping policy. Uncertain if the role mapping policy is using Guest Device Repository, so I'll upload a screenshot of that Role Mapping Policy below.

Original Message:
Sent: Mar 28, 2024 03:10 PM
From: jonas.hammarback
Subject: ClearPass Attributes not getting added to endpoint after going through portal redirect

Hi

Can you provide screenshots of the configuration of the guest authentication services you have configured?

The attributes should be assigned by enforcement profiles of the type ClearPass Endpoint Update Enforcement that are applied when the guest signs in to the captive portal.

The two attributes AccountEnabled and AccountExpired are values from the Guest Device Repository.

In the Service for guest logon you have to have the Guest Device Repository as one of the authentication sources if you would like the guests to be able to register for a guest account and log in. You also need to add [Time Source] as an Authorization source to the service. Otherwise time staps will not be written correctly.

If you utilize the service template for Guest Authentication with MAC Caching and create the two services, you will also get the enforcement profiles that will write the needed information to the Endpoints Repository, and a role mapping policy utilizing the information in the Guest Device repository.

------------------------------
Best Regards
Jonas Hammarbäck
MVP Guru 2024, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Mar 27, 2024 02:48 PM
From: mccoyjac
Subject: ClearPass Attributes not getting added to endpoint after going through portal redirect

Hello,

Endpoints connecting to the Guest internet on our Cisco WLC are not getting attributes added to the endpoint whenever they authenticate through a Portal we have set up on CPPM. I can manually set the attributes and make it a known endpoint to access the internet from Guest WiFi, but it needs to be done automatically to support our userbase.

The attributes I wanted added after a user authenticates through the portal are:

Updating the Endpoint as Known

Allow-Guest-Internet = true

AccountEnabled = true

AccountExpired = false

Thanks. I imagine there is more information that I will need to provide, I am just not certain exactly what is needed. I am still pretty new to Clearpass.