Security

CPPM 6.7.12

I'm setting up switch DUR for a wired guest authentication scenario.

1. User is initially redirected to Web Login (App Auth service)

2. User logs in and receives DUR. (Issue here)

3. MAC-Cache moving forward with DUR.

My issue is that Application Authentication services don't allow me to select a DUR enforcement profile.

Q: Is this by design? 

Q2: Is the correct way to accomplish this to use a RADIUS service instead?

For your first question, Yes. You can't return radius profiles unless your using a radius service.

For your second question:

What you could do, is once the user completes the captive portal, the enforcement profiles update the endpoint with specfic attributes, and performs a CoA to reauth the user.

Then when the reauth happens, those new attributes that were assigned will cause them to get the correct DUR.

Whether or not that is the correct way,  I'll let someone with a little more Clearpass Knowledge answer that

That was my suspicion. However, going through my ACCX lab material, all of the Guest-Wired stuff says to create an Application Service to handle the captive portal logins in conjuction with DURs. 

I should have trusted my instincts.

It seems the best way is to use the Wired guide that @Tim keeps up to date. 

1. Create WebLogin page

2. Create WebAuth service since it is server-initiated.

3. Update endpoint with MAC Caching attributes.

4. MAC-Auth service to honor the set attributes, apply DUR.

Training folks just need to update the guides.

Thanks for the clarification, though.