Security

 View Only
Back to discussions
Expand all | Collapse all

MAC Authentication and User Authentication with MAC Caching for Guest WLAN access

This thread has been viewed 9 times

  • 1.  MAC Authentication and User Authentication with MAC Caching for Guest WLAN access

    Posted Aug 29, 2019 07:29 AM

    I'm trying to implement MAC Authentication and User Authentication with MAC Caching for Guest WLAN using ClearPass 6.8 and ArubaOS 8.5 Mobility Controllers. But so far I have been unsuccessful.

     

    My set up and configuration is relatively simple with HA throughout e.g, my ClearPass servers are virtual appliances deployed in a cluster, and my two Mobility Controllers (VMC1 and VMC2) are virtual appliances deployed in a Master Standby redundancy, with the active controller terminating all AP’s. VMC2 is the designated Master in my Master Standby Mobility Controller setup.

     

    For reference I am using the Validated Reference Design (VRD) provided in the Mobile First Base Designs Lab for ArubaOS 8 guide beginning on page 145 for configuring the Guest WLAN on the Mobility Controller. I am also using the same guide beginning on page 156 for creating the services, Enforcement Profiles, Enforcement Policies, and Role Mapping Policies using the Guest Authentication with MAC Caching Wizard in ClearPass.

     

    My assumption is that MAC Authentication/User Authentication with MAC Caching should work for Guest WLAN access with unaltered service configuration if based on the VRD. However, this is not the case I am experiencing. As my first attempt to authenticate any client results in an Authentication failure with error code 216, and then all subsequent Authentications failing with error code 206.

     

    mac_authentication_fail_error_216_1.png

     

    mac_authentication_fail_error_216_2.png

     

    mac_authentication_fail_error_206_1.png

     

    If I alter the MAC Authentication service configuration, and manually set the Default Profile in my MAC Authentication service to one of the Enforcement Profiles created by the Wizard, then ClearPass assigns my “guest-wifi” role and clients are able to access the Guest WLAN, and bypass the guest portal access and get access to the internet.

     

    So I know ClearPass is able to assign roles to my Mobility Controller for Guest WLAN, as seen below.

     

    default_profile_change_authentication_success1.png

    default_profile_change_authentication_success_mc.png

     

    I do not believe making that adjustment is what I am after if I plan to use ClearPass Guest portal and MAC authentication/User Authentication with MAC Caching. So any help would be greatly appreciated.

     

    Screen shots of the ClearPass service creation, and guest registration follow.

     

    1. Service Creation

     

     

    guest-wifi_service-template1.pngguest-wifi_service-template2.pngguest-wifi_service-template3.pngguest-wifi_service-template4.pngguest-wifi_service-template5.pngguest-wifi_service-template6a.pngguest-wifi_service-template6b.png

     

     

    guest-wifi_mac_authentication_service1.pngguest-wifi_mac_authentication_with_mac_caching_service1.png

     

     

    2. Guest Registration

     

     

    guest-registration1.pngguest-registration2.pngguest-registration3.png

     



Related Content