Security

Hi All,

apologies if this has already been discussed before but I cant seem to find the answer that I am looking for.

I am trying to configure Guest access with MAC caching on Clearpass in my home lab. Clearpass version 6.10 and running a virtual controller on version 8.10.0.9.

I am self taught with Clearpass using the fundamentals guide and labs, along with the Clearpass Workshop YouTube guides.

I have configured a guest WLAN, the self registration page and also used the template wizard to create the services and other parts for "guest authentication with MAC caching".

I am using self signed certificates so I have checked to use HTTP within the authentication profile on the controller for now.

I receive the self registration page on my devices and able to enter my details fine. Once I receive the receipt and click the login button the device is disconnected and I receive the below alert within the access tracker of Clearpass...

might anyone be able to point me in the right direction to help troubleshoot?

TIA and again apologies if this has been asked before and whether I should be providing more details.

Regards

Hi

I suppose this error message is from the web login service, do you have the Guest User Repository as authentication source in the service? The error message is [Endpoints Repository] - localhost: User not found, and the Endpoints Repository doesn't have guest users, only MAC addresses. During the MAC authentication the Endpoints repository will be the authentication source.

Can you provide screenshots of both guest services and also the Summary tab of the Access Tracker record?

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Hi Jonas,

Thank you for your reply - it is much appreciated.

The Guest User Repository is the authentication source for the MAC caching service, but it is the Endpoint Repository for the MAC authentication service shown below...

Please ignore the hit counts on the services - This morning I connected to a different guest portal / service that I have running and then when I reconnected I then hit the MAC caching service.

For this particular issue that I am referring to, I hit the "Guest-SR MAC authentication" service.

Regards

Original Message:
Sent: Jan 11, 2024 02:49 PM
From: jonas.hammarback
Subject: Clearpass - Guest Self Registration with MAC Caching Issue

Hi

I suppose this error message is from the web login service, do you have the Guest User Repository as authentication source in the service? The error message is [Endpoints Repository] - localhost: User not found, and the Endpoints Repository doesn't have guest users, only MAC addresses. During the MAC authentication the Endpoints repository will be the authentication source.

Can you provide screenshots of both guest services and also the Summary tab of the Access Tracker record?

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Hi

When you click Log In you will submit your credentials to the controller/virtual controller, and this device will send a Radius request for authentication to ClearPass. Check this old tread describing the guest authentication flow:

https://community.arubanetworks.com/discussion/process-of-captive-portal-authentication-with-clearpass-guest-1

Have you configured your self registration page to do pre-auth check? In this case you need to have a service to handle this pre-auth check depending on the type of check you are sending.

Do you get any other messages in the Access Tracker. The MAC auth request should not be sent then you try to log in with the guest account.

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: Jan 12, 2024 04:32 AM
From: a.campbell
Subject: Clearpass - Guest Self Registration with MAC Caching Issue

Hi Jonas,

Thank you for your reply - it is much appreciated.

The Guest User Repository is the authentication source for the MAC caching service, but it is the Endpoint Repository for the MAC authentication service shown below...

Please ignore the hit counts on the services - This morning I connected to a different guest portal / service that I have running and then when I reconnected I then hit the MAC caching service.

For this particular issue that I am referring to, I hit the "Guest-SR MAC authentication" service.

Regards

Original Message:
Sent: Jan 11, 2024 02:49 PM
From: jonas.hammarback
Subject: Clearpass - Guest Self Registration with MAC Caching Issue

Hi

I suppose this error message is from the web login service, do you have the Guest User Repository as authentication source in the service? The error message is [Endpoints Repository] - localhost: User not found, and the Endpoints Repository doesn't have guest users, only MAC addresses. During the MAC authentication the Endpoints repository will be the authentication source.

Can you provide screenshots of both guest services and also the Summary tab of the Access Tracker record?

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution

Hi Jonas,

thank you for this information.

I have now managed to get it working!

I changed the address within the self registration to the IP of the controller instead of "securelogin.arubanetworks.com".

I had done this before put had no luck - maybe it needed some time to take effect and I was just being impatient!

I will also make the change for pre-auth checks to "Local" as per your suggestion and see how that gets on.

Thank you again for your time Jonas and I will keep you posted how things go whilst testing over the next couple of days!

Original Message:
Sent: Jan 12, 2024 06:35 AM
From: jonas.hammarback
Subject: Clearpass - Guest Self Registration with MAC Caching Issue

Hi

When you click Log In you will submit your credentials to the controller/virtual controller, and this device will send a Radius request for authentication to ClearPass. Check this old tread describing the guest authentication flow:

https://community.arubanetworks.com/discussion/process-of-captive-portal-authentication-with-clearpass-guest-1

Have you configured your self registration page to do pre-auth check? In this case you need to have a service to handle this pre-auth check depending on the type of check you are sending.

Do you get any other messages in the Access Tracker. The MAC auth request should not be sent then you try to log in with the guest account.

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------


Original Message:
Sent: Jan 12, 2024 04:32 AM
From: a.campbell
Subject: Clearpass - Guest Self Registration with MAC Caching Issue

Hi Jonas,

Thank you for your reply - it is much appreciated.

The Guest User Repository is the authentication source for the MAC caching service, but it is the Endpoint Repository for the MAC authentication service shown below...

Please ignore the hit counts on the services - This morning I connected to a different guest portal / service that I have running and then when I reconnected I then hit the MAC caching service.

For this particular issue that I am referring to, I hit the "Guest-SR MAC authentication" service.

Regards

Original Message:
Sent: Jan 11, 2024 02:49 PM
From: jonas.hammarback
Subject: Clearpass - Guest Self Registration with MAC Caching Issue

Hi

I suppose this error message is from the web login service, do you have the Guest User Repository as authentication source in the service? The error message is [Endpoints Repository] - localhost: User not found, and the Endpoints Repository doesn't have guest users, only MAC addresses. During the MAC authentication the Endpoints repository will be the authentication source.

Can you provide screenshots of both guest services and also the Summary tab of the Access Tracker record?

------------------------------
Best Regards
Jonas Hammarbäck
MVP 2023, ACEX, ACDX #1600, ACCX #1335, ACX-Network Security, Aruba SME, ACMP, ACSA
Aranya AB
If you find my answer useful, consider giving kudos and/or mark as solution