Thanks James. I thought with what you commented there I was about to figure it out. Overall it sounded straight-forward. I failed to figure it out.
"you need to have a condition in the Roles tab like:
| (Authorization:[Guest Device Repository]:Device Role ID EQUALS 4) |
guest-access |
"
So to the MAC Auth service I added condition 2 to the Roles tab:
And to the enforcement tab I couldn't figure out where to find 'OR' and ended up only with 'AND'
So deleted that, and went for what you said next, it's own condition
So I've re-uploaded the client with a new role specified in the csv of Guest-WiFi-Portal Workaround (having made that role available to Guest, and created the new role on the controller with an allow-all ipv4 rule) but that didn't work.
So I made the Workaround rule first in the list, that didn't work either. I put MAC Caching back as first in the list.
Led by your comment about the two repositories I noticed that the MAC Auth service was only using Endpoints Repo, so I added Guest Device Repo
And I got a successful and fast authentication!
Weird thing for me now is that the role shown on the controller is not the new '...Portal-Workaround' role, but the original Guest-WiFi role that I wanted to use. Now I need to get to the bottom of why that's the case.
I really hate Clearpass, I just can't figure it out, and I've been trying for way longer than I'm willing to admit!
Thanks for your input yesterday, I'd still be nowhere without it.
Nathan.
------------------------------
nathan millward
------------------------------
Original Message:
Sent: May 23, 2022 11:56 PM
From: James Andrewartha
Subject: Devices that can't register via captive portal
So you've uploaded the CSV to the Guest device database, /guest/mac_import.php rather than the ClearPass (TIPS) device database /tips/tipsContent.action#tipsEndpoints.action ? If so, you need to have a condition in the Roles tab like:
| (Authorization:[Guest Device Repository]:Device Role ID EQUALS 4) | guest-access |
Although you need to confirm the Device Role ID for guest-access. Then in Enforcement, you'd have (Tips:Role EQUALS guest-access) as an OR of the first condition (or its own condition with the same (or different) enforcement profiles).
The core issue here is that ClearPass has two device repositories, one in the captive portal side [Guest Device Repository], one in the ClearPass (TIPS RADIUS server) side [Endpoints Repository]. Once you understand that it doing what you want becomes a bit clearer.
------------------------------
James Andrewartha
Original Message:
Sent: May 23, 2022 11:15 AM
From: nathan millward
Subject: Devices that can't register via captive portal
Thanks James.
To answer something from cjoseph earlier first, the WEBAUTH REJECT was a red herring because I was searching the access tracker on username, when I should have been using host MAC. I thought the host MAC was being used as username, but for the MAC Auth service that's not the case.
So I can now see that I do hit the Device MAC Auth policy element of the overall Guest-Wifi captive portal process:
But the role being given is not the role I assigned to the device in the csv upload.
So to your comments James, I used the MAC Caching template. I think I should be OK simply using the existing role (Guest-WiFi).
Even though the endpoint is known, the MAC Auth services defaults to the logon role, unless the conditions are met for [MAC Caching]
So does it stack up that I should be able to add a third condition here, ahead of current condition 2, to make the csv upload work?
I'll see if I can figure this condition out.
------------------------------
nathan millward
Original Message:
Sent: May 22, 2022 11:03 PM
From: James Andrewartha
Subject: Devices that can't register via captive portal
Which service template did you use? The "Guest Authentication with MAC Caching" service template doesn't allow for what you want. You need to either edit it (which I have done, including adding a new device role for this sort of device) or just add a new service based on the "Device MAC Authentication" template. I'm not sure on how the two would interact though.
------------------------------
James Andrewartha
Original Message:
Sent: May 20, 2022 10:24 AM
From: nathan millward
Subject: Devices that can't register via captive portal
I have a new Clearpass captive portal self-registration with self-sponsorship Guest-WiFi service configured. It's not been a pain free process, but it now works.
When a client first connects they given a guest-logon role, they complete the form, submit, get a new guest-access role with internet access and have 5 mins to click the link in their email to sponsor themselves to upgrade from 5 mins web access to 24 hours web access. So far so good.
Where I'm stuck is with devices that I need to register to this WiFi service (because they're not 802.1X compliant for our main WLAN). I just can't get my head round how to upload these devices so that they just connect and don't expire. In the device upload csv file I've set the guest-access role, but that doesn't work. I've created a sponsorship user and allocated the guest-access role, but still no good. Each attempt sees me hit with the WEBAUTH REJECT message, even though the device I'm testing with is known.
Anyone got any ideas on what I'm missing?
Thanks
Nathan
Edit, I think I'm starting to grasp why I might need a new role in CP, as you've done James, but link that to the existing role on the controller.
------------------------------
nathan millward
------------------------------