Security

View Only

Back to discussions

Expand all | Collapse all

Struggling with Guest auth with mac caching config

This thread has been viewed 26 times

1. Struggling with Guest auth with mac caching config

Kudos
avanindra
Posted Oct 06, 2025 08:28 AM

Reply Reply Privately
Dear Aruba Experts

I am trying to configure Guest Auth with MAC Caching

Aruba clearpass inbuilt captiveportal is configured as external captive portal in my cnms

I am using an open SSID by name hfclcppmguest

I have used Wizard Guest Authentication with MAC Caching,

Using (1)vendor name IETF (2)Enforcement Type Flilter ID based enforcement (3) Captive portal Access name as ClearPassCP for filter ID as my Captive Portal Profile Name is ClearPassCP

I edited the services and Policy generated to suite my requirement (My access point does not support ACL)

The set up does not work, though redirection happens but post entering credentials it land backs on self registration page

·         Service1

and service2

additional profiles configured

My captive Portal profile is

config portal 'ClearPassCP'
        option profile 'ClearPassCP'
        option portal_redirect '0'
        option captiveauth '3'
        option timeout '3600'
        option encryption '0'
        option authmode 'user'
        option cp_server_ip '192.168.180.12'
        option walled_garden '1'
        option https_logon '0'
        option cp_radius 'ClearPass'
        option cp_splash_url 'https://cppmnac.neotechhfcl.com/guest/hfcl_guest_registration_page.php?_browser=1'
        option wallg_urls '192.168.180.12,cppmnac.neotechhfcl.com'

kindly help

Thanks & Regards

Avanindra Kumar Mishra

7718822823

HFCL Ltd, Gurugram

Disclaimer: This e-mail & attachment(s) within it are for sole use of intended recipient(s) & may contain confidential & privileged information. If you are not the intended recipient, please intimate the sender by replying to this email & destroy all copies & the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited & unlawful. The recipient acknowledges that COMPANY , its subsidiaries, associated companies or persons authorized by it (collectively "THE Group"), are unable to exercise control, ensure, guarantee the integrity of/over the contents of the information contained in e-mail transmissions & further acknowledges that any views expressed in this message are those of the individual sender & no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of THE Group.
2. RE: Struggling with Guest auth with mac caching config

Kudos
chulcher

MVP GURU ELITE
Posted Oct 06, 2025 04:15 PM

Reply Reply Privately
Looks like you've got ClearPass telling the client to submit credentials back to the ClearPass page. You need to set the "submit URL" based on whatever network equipment you are using.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message
3. RE: Struggling with Guest auth with mac caching config

Kudos
avanindra
Posted Oct 06, 2025 09:12 PM

Reply Reply Privately
Dear Carson

As per my understanding I should add URL of self registration page for submit URL, where the user is required to enter he credential.Same page is configured as splash URL in my wifi controller where aruba guest registration page is added as external captive poral.Kindly let me know if it is wrongand something else need to be entered.

My intention is-----The first time user must be redirected to registration page, where he will get the access post enering the credentials

kindly advise me about the flaw with my set up; all the screenshots are available in the trailing communication

Thanks & Regards
Avanindra Kumar Mishra

7718822823

HFCL Ltd, Gurugram

Original Message
4. RE: Struggling with Guest auth with mac caching config

Kudos
chulcher

MVP GURU ELITE
Posted Oct 06, 2025 09:30 PM

Reply Reply Privately
Network device needs to know the URL to redirect the client device to for captive portal. If you have that correct in the network device (NAS), then the redirect to the captive portal should work.

For a custom captive portal configuration like you've chose, the ClearPass captive portal configuration needs to know where to direct the client device to for credential submission, so that the client can submit credentials via HTTP/HTTPS to the NAS so that the NAS can then perform a RADIUS authentication.

You can see this requirement in the form itself where the URL needed is that of the NAS. The URL along with potential variables is going to be specific to the NAS, which on a custom configuration will need to be provided by the NAS vendor.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message
5. RE: Struggling with Guest auth with mac caching config

Kudos
ariyap

Employee
Posted Oct 07, 2025 01:24 AM

Reply Reply Privately
you can refer to this video that goes through configuring ClearPass guest with MAC caching and Aruba Instant AP.

Even if you are not using Aruba Instant AP, it should give you a good understanding of how to configure ClearPass.

Aruba ClearPass Workshop (2021) - Guest Access #1 Aruba Instant Wireless Guest (getting started)

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message
6. RE: Struggling with Guest auth with mac caching config

Kudos
avanindra
Posted Oct 07, 2025 09:23 PM

Reply Reply Privately
Dear Carson

Thanks for the solution;

I used https://14.14.157.94 /login for submit URL, It worked. (14.14.157.94 is the IP of my access point)

Can I use a generic term like https://14.14.0.0/24/login as there might be a number of APs in real life scenario ?

Thanks & Regards

Avanindra Kumar Mishra

HFCL Limited

Gurugram, Haryana 122016

Phone: M: +91 7718822823

www.hfcl.com | www.ionetworks.in

Original Message
7. RE: Struggling with Guest auth with mac caching config

Kudos
ariyap

Employee
Posted Oct 08, 2025 02:07 AM

Reply Reply Privately
what AP vendor are you using?
generally it is always best to use FQDN with HTTPS so that you don't get warning/error and that means the NADs should have a proper HTTPS server cert for captive portal purposes.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message
8. RE: Struggling with Guest auth with mac caching config

Kudos
chulcher

MVP GURU ELITE
Posted Oct 08, 2025 11:50 AM

Reply Reply Privately
There is a method to construct a custom URL for the submit, but I can't find my reference for that and I think ClearPass is counting on the device sending all of the relevant information over as variables in the captive portal redirect. The "preferred" option would be for the network device to implement a generic method for the credential submission, for instance on HPE Aruba Networking devices we use a certificate on the device to set an FQDN for the purpose, Cisco wireless controllers use a specific IP address that can have a DNS mapping.

------------------------------
Carson Hulcher, ACEX#110
------------------------------

Original Message