Wireless Access

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

are these guest users have their accounts in ClearPass guest? if so are these account active and enabled?
is the access tracker that mentions "access denied by policy" from the MAC caching service?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Thanks for your reply  @ariyap

Thank you for responding.
Where can I look if an account's guest has a pass?
Where can I look if the caching services access policy is deny?
​
Original Message:
Sent: Jan 19, 2023 05:17 PM
From: ariyap
Subject: Mobile Guest SSID not conexion

are these guest users have their accounts in ClearPass guest? if so are these account active and enabled?
is the access tracker that mentions "access denied by policy" from the MAC caching service?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi, I recommend you to check 2 things:

1.- In the enforcement policy there is a rule for no more than 2 phones, if the person uses the same user, then a 3rd or 4th device won't be allowed

2,. Probably not related but definitely to fix is that the https clearpass certificate has expired. If Clearpass is hosting the captive portal a lot of devices won't connect.

I  hope this helps
Original Message:
Sent: Jan 20, 2023 03:36 AM
From: athan
Subject: Mobile Guest SSID not conexion

Thanks for your reply  @ariyap

Thank you for responding.
Where can I look if an account's guest has a pass?
Where can I look if the caching services access policy is deny?
​
Original Message:
Sent: Jan 19, 2023 05:17 PM
From: ariyap
Subject: Mobile Guest SSID not conexion

are these guest users have their accounts in ClearPass guest? if so are these account active and enabled?
is the access tracker that mentions "access denied by policy" from the MAC caching service?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi @ulises.cazares I appreciate your response.


Concerning point 1,


You must be referring to this, I assume:



So i want to understand this values is not forr default , the meaning is if the user uses the same user in more two phone it will be deneged the acces , isent it ?

Another question , how I can see the user guest account ?


Regardin pomt 2

why a lot off device will not cobnnect , do you mean some device are able to coonect ansd others no ? why some yes and some not
Original Message:
Sent: Jan 20, 2023 07:23 AM
From: ulises.cazares
Subject: Mobile Guest SSID not conexion

Hi, I recommend you to check 2 things:

1.- In the enforcement policy there is a rule for no more than 2 phones, if the person uses the same user, then a 3rd or 4th device won't be allowed

2,. Probably not related but definitely to fix is that the https clearpass certificate has expired. If Clearpass is hosting the captive portal a lot of devices won't connect.

I  hope this helps
Original Message:
Sent: Jan 20, 2023 03:36 AM
From: athan
Subject: Mobile Guest SSID not conexion

Thanks for your reply  @ariyap

Thank you for responding.
Where can I look if an account's guest has a pass?
Where can I look if the caching services access policy is deny?
​
Original Message:
Sent: Jan 19, 2023 05:17 PM
From: ariyap
Subject: Mobile Guest SSID not conexion

are these guest users have their accounts in ClearPass guest? if so are these account active and enabled?
is the access tracker that mentions "access denied by policy" from the MAC caching service?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi @athan:

1.- Yes that's the rule. You con go to the guest module and see the user here:

​2.- With the https certificate expired some endpoints (mobile phones and other types of client devices) won't even show the landind page. You need a valid and trusted(by the endpoints) cert installed as the https clearpass certificate. I think this is the first thing you need to resolve


I hope this helps.
Original Message:
Sent: Jan 23, 2023 02:31 AM
From: athan
Subject: Mobile Guest SSID not conexion

Hi @ulises.cazares I appreciate your response.


Concerning point 1,


You must be referring to this, I assume:



So i want to understand this values is not forr default , the meaning is if the user uses the same user in more two phone it will be deneged the acces , isent it ?

Another question , how I can see the user guest account ?


Regardin pomt 2

why a lot off device will not cobnnect , do you mean some device are able to coonect ansd others no ? why some yes and some not
Original Message:
Sent: Jan 20, 2023 07:23 AM
From: ulises.cazares
Subject: Mobile Guest SSID not conexion

Hi, I recommend you to check 2 things:

1.- In the enforcement policy there is a rule for no more than 2 phones, if the person uses the same user, then a 3rd or 4th device won't be allowed

2,. Probably not related but definitely to fix is that the https clearpass certificate has expired. If Clearpass is hosting the captive portal a lot of devices won't connect.

I  hope this helps
Original Message:
Sent: Jan 20, 2023 03:36 AM
From: athan
Subject: Mobile Guest SSID not conexion

Thanks for your reply  @ariyap

Thank you for responding.
Where can I look if an account's guest has a pass?
Where can I look if the caching services access policy is deny?
​
Original Message:
Sent: Jan 19, 2023 05:17 PM
From: ariyap
Subject: Mobile Guest SSID not conexion

are these guest users have their accounts in ClearPass guest? if so are these account active and enabled?
is the access tracker that mentions "access denied by policy" from the MAC caching service?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi @ulises.cazares
​

I'm looking where you have mencinend, but, for instance, he has a user connected, and I see caducado in red, which I don't understand the red message

On the other hand, with relation to point 2.


Why are they able to connect with select users over others?


Thanks a lot off

Original Message:
Sent: Jan 23, 2023 08:59 AM
From: ulises.cazares
Subject: Mobile Guest SSID not conexion

Hi @athan:

1.- Yes that's the rule. You con go to the guest module and see the user here:

​2.- With the https certificate expired some endpoints (mobile phones and other types of client devices) won't even show the landind page. You need a valid and trusted(by the endpoints) cert installed as the https clearpass certificate. I think this is the first thing you need to resolve


I hope this helps.
Original Message:
Sent: Jan 23, 2023 02:31 AM
From: athan
Subject: Mobile Guest SSID not conexion

Hi @ulises.cazares I appreciate your response.


Concerning point 1,


You must be referring to this, I assume:



So i want to understand this values is not forr default , the meaning is if the user uses the same user in more two phone it will be deneged the acces , isent it ?

Another question , how I can see the user guest account ?


Regardin pomt 2

why a lot off device will not cobnnect , do you mean some device are able to coonect ansd others no ? why some yes and some not
Original Message:
Sent: Jan 20, 2023 07:23 AM
From: ulises.cazares
Subject: Mobile Guest SSID not conexion

Hi, I recommend you to check 2 things:

1.- In the enforcement policy there is a rule for no more than 2 phones, if the person uses the same user, then a 3rd or 4th device won't be allowed

2,. Probably not related but definitely to fix is that the https clearpass certificate has expired. If Clearpass is hosting the captive portal a lot of devices won't connect.

I  hope this helps
Original Message:
Sent: Jan 20, 2023 03:36 AM
From: athan
Subject: Mobile Guest SSID not conexion

Thanks for your reply  @ariyap

Thank you for responding.
Where can I look if an account's guest has a pass?
Where can I look if the caching services access policy is deny?
​
Original Message:
Sent: Jan 19, 2023 05:17 PM
From: ariyap
Subject: Mobile Guest SSID not conexion

are these guest users have their accounts in ClearPass guest? if so are these account active and enabled?
is the access tracker that mentions "access denied by policy" from the MAC caching service?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi athan,

the output from the access tracker means that there is no endpoint for the phone yet. It is normal and always happens when a device connects to your guest wifi for the first time.

The SQL statement uses as WHERE condition an attribute from the endpoint. But the endpoint does not exist yet. The SQL statement does not return attributes for AccountEnable and AccountExpired. The policy server logs it as alarm.

The Radius server does not find the user in the endpoint repository and also reports it as an alarm.

The MAC-Auth failed, the ClearPass Server sends a reject to the controller. The user is connected to the WLAN and remains in the preauthenticated role. In this role there must be a captive portal profile and the user must be redirected to the ClearPass landing page.

The question is whether the user gets the ClearPass landing page displayed?

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi @lord 

I appreciate your explanation.
I'm trying to figure out how it was possible for a new user to connect with the person who has the preauthentification role.

There is a WLC is the destination of a redirect.The issue is that people cannot access the protal .









​​
Original Message:
Sent: Jan 23, 2023 07:45 AM
From: lord
Subject: Mobile Guest SSID not conexion

Hi athan,

the output from the access tracker means that there is no endpoint for the phone yet. It is normal and always happens when a device connects to your guest wifi for the first time.

The SQL statement uses as WHERE condition an attribute from the endpoint. But the endpoint does not exist yet. The SQL statement does not return attributes for AccountEnable and AccountExpired. The policy server logs it as alarm.

The Radius server does not find the user in the endpoint repository and also reports it as an alarm.

The MAC-Auth failed, the ClearPass Server sends a reject to the controller. The user is connected to the WLAN and remains in the preauthenticated role. In this role there must be a captive portal profile and the user must be redirected to the ClearPass landing page.

The question is whether the user gets the ClearPass landing page displayed?

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi @athan,

I just see that you are using a Cisco WLC, is it correct?
If so you can't use the enforcement profile, I see that you used the wizard. The wizard builds everything for an Aruba controller and use Aruba VSA "Aruba-User-Role". Your Cisco WLC doesn't understand this stuff - except for the reject :) You have to build the enforcement profile manually.

See here, there was already a discussion about guest WLAN with ClearPass and Cisco WLC.
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=44230#

The Youtube video also looks good, https://www.youtube.com/watch?v=cItKxgIjbRY

Do you have access to Arubapedia for Partners?
Here you can download a ClearPass backup. restore in the lab. In the config are many examples, among others also for Cisco guest wlan with clearpass.

https://afp.arubanetworks.com/afp/index.php/Archive:ClearPass_Canned_POC_Kit
------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Jan 23, 2023 11:55 AM
From: athan
Subject: Mobile Guest SSID not conexion

Hi @lord

I appreciate your explanation.
I'm trying to figure out how it was possible for a new user to connect with the person who has the preauthentification role.

There is a WLC is the destination of a redirect.The issue is that people cannot access the protal .









​​
Original Message:
Sent: Jan 23, 2023 07:45 AM
From: lord
Subject: Mobile Guest SSID not conexion

Hi athan,

the output from the access tracker means that there is no endpoint for the phone yet. It is normal and always happens when a device connects to your guest wifi for the first time.

The SQL statement uses as WHERE condition an attribute from the endpoint. But the endpoint does not exist yet. The SQL statement does not return attributes for AccountEnable and AccountExpired. The policy server logs it as alarm.

The Radius server does not find the user in the endpoint repository and also reports it as an alarm.

The MAC-Auth failed, the ClearPass Server sends a reject to the controller. The user is connected to the WLAN and remains in the preauthenticated role. In this role there must be a captive portal profile and the user must be redirected to the ClearPass landing page.

The question is whether the user gets the ClearPass landing page displayed?

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi @lord 
I want to thoroughly comprehend all you say regarding Enforcement Proficiency and Wizzard because Clear Pass is a system that I am incredibly unfamiliar with.


This guy's setup is comparable to that of my client:


https://www.youtube.com/watch?v=cgL40TtIK4Y

I don't know why some computers and mobile devices can access but most of them don't need to see the portal.
It was effective in the past.


I believe the setting is OK, but there is one area where I keep getting errors, possibly related to the clear pass new mobile policy.


Tell me what you need to know to be able to identify the potential problem. some specific test ??
​
Original Message:
Sent: Jan 23, 2023 12:32 PM
From: lord
Subject: Mobile Guest SSID not conexion

Hi @athan,

I just see that you are using a Cisco WLC, is it correct?
If so you can't use the enforcement profile, I see that you used the wizard. The wizard builds everything for an Aruba controller and use Aruba VSA "Aruba-User-Role". Your Cisco WLC doesn't understand this stuff - except for the reject :) You have to build the enforcement profile manually.

See here, there was already a discussion about guest WLAN with ClearPass and Cisco WLC.
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=44230#

The Youtube video also looks good, https://www.youtube.com/watch?v=cItKxgIjbRY

Do you have access to Arubapedia for Partners?
Here you can download a ClearPass backup. restore in the lab. In the config are many examples, among others also for Cisco guest wlan with clearpass.

https://afp.arubanetworks.com/afp/index.php/Archive:ClearPass_Canned_POC_Kit
------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2023 11:55 AM
From: athan
Subject: Mobile Guest SSID not conexion

Hi @lord

I appreciate your explanation.
I'm trying to figure out how it was possible for a new user to connect with the person who has the preauthentification role.

There is a WLC is the destination of a redirect.The issue is that people cannot access the protal .









​​
Original Message:
Sent: Jan 23, 2023 07:45 AM
From: lord
Subject: Mobile Guest SSID not conexion

Hi athan,

the output from the access tracker means that there is no endpoint for the phone yet. It is normal and always happens when a device connects to your guest wifi for the first time.

The SQL statement uses as WHERE condition an attribute from the endpoint. But the endpoint does not exist yet. The SQL statement does not return attributes for AccountEnable and AccountExpired. The policy server logs it as alarm.

The Radius server does not find the user in the endpoint repository and also reports it as an alarm.

The MAC-Auth failed, the ClearPass Server sends a reject to the controller. The user is connected to the WLAN and remains in the preauthenticated role. In this role there must be a captive portal profile and the user must be redirected to the ClearPass landing page.

The question is whether the user gets the ClearPass landing page displayed?

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi @athan,

i think it's cool that you want to learn more about ClearPass. Maybe one day you will configure only ClearPass and Aruba devices ;))

I try to explain the basic things for better understanding.

You have run the wizard for "Guest Authentication with MAC Caching", after that 2 services were created.

The service "GUEST_COR MAC Authentication" does mac-address authentication for devices, the service "GUEST_COR User Authentication with MAC Caching" does user authentication.

If authentication is successful, the service "GUEST_COR User Authentication with MAC Caching" allows wifi access and stores "Guest-User-Name" and "MAC-Auth Expiry" in the endpoint. This data can be checked during the next mac-address authentication. If the "Guest-User-Name" is enabled and not expired and "MAC-Auth Expiry" is not reached yet, the access will be enabled immediately, the user will not be redirected to the captive portal.

ClearPass creates endpoints automatically with each authentication attempt. If a device has never logged in via the ClearPass server, there is no endpoint with its MAC address.
The "GUEST_COR MAC Authentication" wants to check if the guest user is enabled and not expired and if "MAC-Auth Expiry" is already reached. But the endpoint with the mac-address does not exist yet. ClearPass cannot execute the SQL statement and cannot read the attributes AccountExpired and AccountEnabled. The Policy Server reports this with the error message (marked red).
The RADIUS server reports that it has not found the user in the endpoints repository - because the endpoint with the MAC address does not exist yet (marked purple). Because of these 2 messages the alarm tab is displayed in the access tracker. But these errors are not the reason for the reject. In the "Error Message" you see that "Access denied by policy" is (marked green). The enforcement policy forbids the access in this constellation.


You have not posted a role mapping policy, but the wizard creates the following mapping.
AccountExpired and AccountEnabled do not exist, so the tips role [MAC Caching] is not set (marked red).
The "Guest Role ID" does not exist, therefore the tips roles [Contractor], [Guest] and [Employee] cannot be set either (marked purple). None of the 4 conditions match, therefore the role mapping policy sets the default role [Other].

In the enforcement policy there are 2 conditions. The first condition checks if the tips roles [MAC Caching] and [Guest] and [User Authenticated] are set. But they are not (marked red).
The second condition checks if the tips roles [Guest] or [Contractor] or [Employee] are set. But they are not (marked purple).
It does not match any condition, but the enforcement policy uses the default profile [Deny Access Profile] (marked green).


The mac-address authentication has also not failed, although the endpoint with the mac-address does not exist yet.

Your service uses [Allow All MAC AUTH] (marked green) as Authentication Methods and authenticates against the [Endpoints Repository] (marked green). Basically anonymous mac-address authentication is performed, regardless of whether the mac-address exists or not the authentication is always successful.

This is the ware reason for the reject.

The question now is how to set everything up so that it works.

The wizard must have created the profile "GUEST_COR Captive Portal Profile". Depending on what you have selected in the wizard, Aruba user role or filter ID or untagged VLAN is configured there. Remove all attributes there and put in the following:


More details are in this Cisco article: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217931-configure-9800-wlc-and-aruba-clearpass.html
In der der redirect url muss du noch den pagename von der landing page ersetzen, wie z.B. /guest/xxxxxxx.php.
Now you have to edit the "GUEST_COR MAC Authentication Enforcement Policy", namely set the enforcement profile "GUEST_COR Captive Portal Profile" as default profile.


If no condition matched, this profile is now used. No reject but an accept with redirection to captive portal is used. At the same time, an ALC is enabled on the WLC so that not autenticated guests can only reach the ClearPass server.

You write that some devices do not need to see the portal. In this case you can create a guest device for these devices. If you set "Account Role" to [Guest], you don't have to adjust anything in rolemapping and enforcement. You just have to add the [Guest Device Repository] as an authorization source in the "GUEST_COR MAC Authentication" service.







------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Jan 23, 2023 05:30 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hi @lord
I want to thoroughly comprehend all you say regarding Enforcement Proficiency and Wizzard because Clear Pass is a system that I am incredibly unfamiliar with.


This guy's setup is comparable to that of my client:


https://www.youtube.com/watch?v=cgL40TtIK4Y

I don't know why some computers and mobile devices can access but most of them don't need to see the portal.
It was effective in the past.


I believe the setting is OK, but there is one area where I keep getting errors, possibly related to the clear pass new mobile policy.


Tell me what you need to know to be able to identify the potential problem. some specific test ??
​
Original Message:
Sent: Jan 23, 2023 12:32 PM
From: lord
Subject: Mobile Guest SSID not conexion

Hi @athan,

I just see that you are using a Cisco WLC, is it correct?
If so you can't use the enforcement profile, I see that you used the wizard. The wizard builds everything for an Aruba controller and use Aruba VSA "Aruba-User-Role". Your Cisco WLC doesn't understand this stuff - except for the reject :) You have to build the enforcement profile manually.

See here, there was already a discussion about guest WLAN with ClearPass and Cisco WLC.
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=44230#

The Youtube video also looks good, https://www.youtube.com/watch?v=cItKxgIjbRY

Do you have access to Arubapedia for Partners?
Here you can download a ClearPass backup. restore in the lab. In the config are many examples, among others also for Cisco guest wlan with clearpass.

https://afp.arubanetworks.com/afp/index.php/Archive:ClearPass_Canned_POC_Kit
------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2023 11:55 AM
From: athan
Subject: Mobile Guest SSID not conexion

Hi @lord

I appreciate your explanation.
I'm trying to figure out how it was possible for a new user to connect with the person who has the preauthentification role.

There is a WLC is the destination of a redirect.The issue is that people cannot access the protal .









​​
Original Message:
Sent: Jan 23, 2023 07:45 AM
From: lord
Subject: Mobile Guest SSID not conexion

Hi athan,

the output from the access tracker means that there is no endpoint for the phone yet. It is normal and always happens when a device connects to your guest wifi for the first time.

The SQL statement uses as WHERE condition an attribute from the endpoint. But the endpoint does not exist yet. The SQL statement does not return attributes for AccountEnable and AccountExpired. The policy server logs it as alarm.

The Radius server does not find the user in the endpoint repository and also reports it as an alarm.

The MAC-Auth failed, the ClearPass Server sends a reject to the controller. The user is connected to the WLAN and remains in the preauthenticated role. In this role there must be a captive portal profile and the user must be redirected to the ClearPass landing page.

The question is whether the user gets the ClearPass landing page displayed?

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.

Hi @lord

Thank you for your response; I apologize for not responding earlier but I needed to read the message at least three times to fully get it.
I want to express my gratitude because I am very thrilled by your explanation.


Regarding your explanation, although the colleague setup wasn't ideal, it did the job. I'm just waiting for my customer to post the certificate to the WLC.


Currently, my client are still experiencing issues. It may have been related to the certificate in the Cisco WLC, which is required when using a WLC.
The present clear pass configuration was completed for a colleague mine seven months ago, and it worked flawlessly. For this reason, two days ago when I called him, he informed me that the certificate on the WLC was the issue.



​
Original Message:
Sent: Jan 24, 2023 07:47 PM
From: lord
Subject: Mobile Guest SSID not conexion

Hi @athan,

i think it's cool that you want to learn more about ClearPass. Maybe one day you will configure only ClearPass and Aruba devices ;))

I try to explain the basic things for better understanding.

You have run the wizard for "Guest Authentication with MAC Caching", after that 2 services were created.

The service "GUEST_COR MAC Authentication" does mac-address authentication for devices, the service "GUEST_COR User Authentication with MAC Caching" does user authentication.

If authentication is successful, the service "GUEST_COR User Authentication with MAC Caching" allows wifi access and stores "Guest-User-Name" and "MAC-Auth Expiry" in the endpoint. This data can be checked during the next mac-address authentication. If the "Guest-User-Name" is enabled and not expired and "MAC-Auth Expiry" is not reached yet, the access will be enabled immediately, the user will not be redirected to the captive portal.

ClearPass creates endpoints automatically with each authentication attempt. If a device has never logged in via the ClearPass server, there is no endpoint with its MAC address.
The "GUEST_COR MAC Authentication" wants to check if the guest user is enabled and not expired and if "MAC-Auth Expiry" is already reached. But the endpoint with the mac-address does not exist yet. ClearPass cannot execute the SQL statement and cannot read the attributes AccountExpired and AccountEnabled. The Policy Server reports this with the error message (marked red).
The RADIUS server reports that it has not found the user in the endpoints repository - because the endpoint with the MAC address does not exist yet (marked purple). Because of these 2 messages the alarm tab is displayed in the access tracker. But these errors are not the reason for the reject. In the "Error Message" you see that "Access denied by policy" is (marked green). The enforcement policy forbids the access in this constellation.


You have not posted a role mapping policy, but the wizard creates the following mapping.
AccountExpired and AccountEnabled do not exist, so the tips role [MAC Caching] is not set (marked red).
The "Guest Role ID" does not exist, therefore the tips roles [Contractor], [Guest] and [Employee] cannot be set either (marked purple). None of the 4 conditions match, therefore the role mapping policy sets the default role [Other].

In the enforcement policy there are 2 conditions. The first condition checks if the tips roles [MAC Caching] and [Guest] and [User Authenticated] are set. But they are not (marked red).
The second condition checks if the tips roles [Guest] or [Contractor] or [Employee] are set. But they are not (marked purple).
It does not match any condition, but the enforcement policy uses the default profile [Deny Access Profile] (marked green).


The mac-address authentication has also not failed, although the endpoint with the mac-address does not exist yet.

Your service uses [Allow All MAC AUTH] (marked green) as Authentication Methods and authenticates against the [Endpoints Repository] (marked green). Basically anonymous mac-address authentication is performed, regardless of whether the mac-address exists or not the authentication is always successful.

This is the ware reason for the reject.

The question now is how to set everything up so that it works.

The wizard must have created the profile "GUEST_COR Captive Portal Profile". Depending on what you have selected in the wizard, Aruba user role or filter ID or untagged VLAN is configured there. Remove all attributes there and put in the following:


More details are in this Cisco article: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217931-configure-9800-wlc-and-aruba-clearpass.html
In der der redirect url muss du noch den pagename von der landing page ersetzen, wie z.B. /guest/xxxxxxx.php.
Now you have to edit the "GUEST_COR MAC Authentication Enforcement Policy", namely set the enforcement profile "GUEST_COR Captive Portal Profile" as default profile.


If no condition matched, this profile is now used. No reject but an accept with redirection to captive portal is used. At the same time, an ALC is enabled on the WLC so that not autenticated guests can only reach the ClearPass server.

You write that some devices do not need to see the portal. In this case you can create a guest device for these devices. If you set "Account Role" to [Guest], you don't have to adjust anything in rolemapping and enforcement. You just have to add the [Guest Device Repository] as an authorization source in the "GUEST_COR MAC Authentication" service.







------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2023 05:30 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hi @lord
I want to thoroughly comprehend all you say regarding Enforcement Proficiency and Wizzard because Clear Pass is a system that I am incredibly unfamiliar with.


This guy's setup is comparable to that of my client:


https://www.youtube.com/watch?v=cgL40TtIK4Y

I don't know why some computers and mobile devices can access but most of them don't need to see the portal.
It was effective in the past.


I believe the setting is OK, but there is one area where I keep getting errors, possibly related to the clear pass new mobile policy.


Tell me what you need to know to be able to identify the potential problem. some specific test ??
​
Original Message:
Sent: Jan 23, 2023 12:32 PM
From: lord
Subject: Mobile Guest SSID not conexion

Hi @athan,

I just see that you are using a Cisco WLC, is it correct?
If so you can't use the enforcement profile, I see that you used the wizard. The wizard builds everything for an Aruba controller and use Aruba VSA "Aruba-User-Role". Your Cisco WLC doesn't understand this stuff - except for the reject :) You have to build the enforcement profile manually.

See here, there was already a discussion about guest WLAN with ClearPass and Cisco WLC.
https://community.arubanetworks.com/community-home/digestviewer/viewthread?MID=44230#

The Youtube video also looks good, https://www.youtube.com/watch?v=cItKxgIjbRY

Do you have access to Arubapedia for Partners?
Here you can download a ClearPass backup. restore in the lab. In the config are many examples, among others also for Cisco guest wlan with clearpass.

https://afp.arubanetworks.com/afp/index.php/Archive:ClearPass_Canned_POC_Kit
------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 23, 2023 11:55 AM
From: athan
Subject: Mobile Guest SSID not conexion

Hi @lord

I appreciate your explanation.
I'm trying to figure out how it was possible for a new user to connect with the person who has the preauthentification role.

There is a WLC is the destination of a redirect.The issue is that people cannot access the protal .









​​
Original Message:
Sent: Jan 23, 2023 07:45 AM
From: lord
Subject: Mobile Guest SSID not conexion

Hi athan,

the output from the access tracker means that there is no endpoint for the phone yet. It is normal and always happens when a device connects to your guest wifi for the first time.

The SQL statement uses as WHERE condition an attribute from the endpoint. But the endpoint does not exist yet. The SQL statement does not return attributes for AccountEnable and AccountExpired. The policy server logs it as alarm.

The Radius server does not find the user in the endpoint repository and also reports it as an alarm.

The MAC-Auth failed, the ClearPass Server sends a reject to the controller. The user is connected to the WLAN and remains in the preauthenticated role. In this role there must be a captive portal profile and the user must be redirected to the ClearPass landing page.

The question is whether the user gets the ClearPass landing page displayed?

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACA - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution

Original Message:
Sent: Jan 19, 2023 04:51 PM
From: athan
Subject: Mobile Guest SSID not conexion

Hello, I just had a case where one of my clients couldn't connect their phone.
He told me that when the clear pass was announced, they were working the mobile currently he has at least 3 phone guests were registered.
While performing a test mobile to connect SSID guests, I encountered this issue.
I'll show you some images of my clients' setup.