Security

Hello Team

I'm trying to configure an email authentication captive portal based ssid where the guest will self sponsor his account via email. I'm following this tech note : 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US

The logic is as follow 

-guest should submit the captive portal form 

-get connected (radius request will hit mac caching service), where he'll receive the email confirmation and his endpoint entry will be updated to known in clearpass

-if confirmed, his role will be overriden to employee (role ID = 3), if not then it will stay guest (Role ID=2)

-leveraging on the reauth interval in SSID setting in instant (we mentioned it as 5min), then after 5min client will be reauthenticated and new radius access request will hit the mac auth. service (username equals mac address). The enforcement profile config is as below 

My issue is in the last condition, in case the guest didn't confirm his account, his endpoint is being updated to unknown and then he is being enforced with the CaptivePortalRole, but he is still connected normally without being redirected to the page.  I'm wondering how this should work in instant as in the roles we arent specifying the captive portal as we do in the controller based role. 

Appreciate your insights ! 

Thanks,,

Hello Team

I'm trying to configure an email authentication captive portal based ssid where the guest will self sponsor his account via email. I'm following this tech note : 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US

The logic is as follow 

-guest should submit the captive portal form 

-get connected (radius request will hit mac caching service), where he'll receive the email confirmation and his endpoint entry will be updated to known in clearpass

-if confirmed, his role will be overriden to employee (role ID = 3), if not then it will stay guest (Role ID=2)

-leveraging on the reauth interval in SSID setting in instant (we mentioned it as 5min), then after 5min client will be reauthenticated and new radius access request will hit the mac auth. service (username equals mac address). The enforcement profile config is as below 

My issue is in the last condition, in case the guest didn't confirm his account, his endpoint is being updated to unknown and then he is being enforced with the CaptivePortalRole, but he is still connected normally without being redirected to the page.  I'm wondering how this should work in instant as in the roles we arent specifying the captive portal as we do in the controller based role. 

Appreciate your insights ! 

Thanks,,

Any modern workflow for captive portal, especially ones where you want to enable Enhanced Open with MAC caching, require using the pre-auth role so that the captive portal is being enforced at the role rather than the WLAN.  Note, if you configure the WLAN as "employee" rather than "guest", then you have complete control over everything using the roles (including pre-auth) rather than the very old method of forcing captive portal behavior at the WLAN.

Hello Team

I'm trying to configure an email authentication captive portal based ssid where the guest will self sponsor his account via email. I'm following this tech note : 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US

The logic is as follow 

-guest should submit the captive portal form 

-get connected (radius request will hit mac caching service), where he'll receive the email confirmation and his endpoint entry will be updated to known in clearpass

-if confirmed, his role will be overriden to employee (role ID = 3), if not then it will stay guest (Role ID=2)

-leveraging on the reauth interval in SSID setting in instant (we mentioned it as 5min), then after 5min client will be reauthenticated and new radius access request will hit the mac auth. service (username equals mac address). The enforcement profile config is as below 

My issue is in the last condition, in case the guest didn't confirm his account, his endpoint is being updated to unknown and then he is being enforced with the CaptivePortalRole, but he is still connected normally without being redirected to the page.  I'm wondering how this should work in instant as in the roles we arent specifying the captive portal as we do in the controller based role. 

Appreciate your insights ! 

Thanks,,

Thanks herman & chulcher

I created the preauth role and enforced the same from clearpass, now it is working fine ! 

But i'm running into a different issue i just noticed, after user's email confirmation, the role_ID is being updated to 3 correctly in the endpoint database of that user. But when reauthentication happens (after 5 minutes), the user is not matching the role mapping of [Mac Caching] which is as per the below  

As per the existing endpoint details, the role id is 3, the account is enabled and not expired, but yet not matching this condition, rather always hitting condition #2 in the enforcement profile which is allow-access and update role to 3. the same is happening while user is continuously connected and reauth happening every 5 min,

Any ideas what might be the issue ?

Any modern workflow for captive portal, especially ones where you want to enable Enhanced Open with MAC caching, require using the pre-auth role so that the captive portal is being enforced at the role rather than the WLAN.  Note, if you configure the WLAN as "employee" rather than "guest", then you have complete control over everything using the roles (including pre-auth) rather than the very old method of forcing captive portal behavior at the WLAN.

Hello Team

I'm trying to configure an email authentication captive portal based ssid where the guest will self sponsor his account via email. I'm following this tech note : 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US

The logic is as follow 

-guest should submit the captive portal form 

-get connected (radius request will hit mac caching service), where he'll receive the email confirmation and his endpoint entry will be updated to known in clearpass

-if confirmed, his role will be overriden to employee (role ID = 3), if not then it will stay guest (Role ID=2)

-leveraging on the reauth interval in SSID setting in instant (we mentioned it as 5min), then after 5min client will be reauthenticated and new radius access request will hit the mac auth. service (username equals mac address). The enforcement profile config is as below 

My issue is in the last condition, in case the guest didn't confirm his account, his endpoint is being updated to unknown and then he is being enforced with the CaptivePortalRole, but he is still connected normally without being redirected to the page.  I'm wondering how this should work in instant as in the roles we arent specifying the captive portal as we do in the controller based role. 

Appreciate your insights ! 

Thanks,,

Thanks herman & chulcher

I created the preauth role and enforced the same from clearpass, now it is working fine ! 

But i'm running into a different issue i just noticed, after user's email confirmation, the role_ID is being updated to 3 correctly in the endpoint database of that user. But when reauthentication happens (after 5 minutes), the user is not matching the role mapping of [Mac Caching] which is as per the below  

As per the existing endpoint details, the role id is 3, the account is enabled and not expired, but yet not matching this condition, rather always hitting condition #2 in the enforcement profile which is allow-access and update role to 3. the same is happening while user is continuously connected and reauth happening every 5 min,

Any ideas what might be the issue ?

Any modern workflow for captive portal, especially ones where you want to enable Enhanced Open with MAC caching, require using the pre-auth role so that the captive portal is being enforced at the role rather than the WLAN.  Note, if you configure the WLAN as "employee" rather than "guest", then you have complete control over everything using the roles (including pre-auth) rather than the very old method of forcing captive portal behavior at the WLAN.

Hello Team

I'm trying to configure an email authentication captive portal based ssid where the guest will self sponsor his account via email. I'm following this tech note : 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US

The logic is as follow 

-guest should submit the captive portal form 

-get connected (radius request will hit mac caching service), where he'll receive the email confirmation and his endpoint entry will be updated to known in clearpass

-if confirmed, his role will be overriden to employee (role ID = 3), if not then it will stay guest (Role ID=2)

-leveraging on the reauth interval in SSID setting in instant (we mentioned it as 5min), then after 5min client will be reauthenticated and new radius access request will hit the mac auth. service (username equals mac address). The enforcement profile config is as below 

My issue is in the last condition, in case the guest didn't confirm his account, his endpoint is being updated to unknown and then he is being enforced with the CaptivePortalRole, but he is still connected normally without being redirected to the page.  I'm wondering how this should work in instant as in the roles we arent specifying the captive portal as we do in the controller based role. 

Appreciate your insights ! 

Thanks,,

Do you have the [Time Source] , [Endpoints Repository] and [Guest User Repository] added as authorization source? If the role [MAC Caching] is not applied, then at least one of the conditions is not met. From Access Tracker you should be able to see each of the attributes and it's value then check if it would mach or not. If it's not clear which condition does not match, you could replicate the role mapping rule into some variants that check a subset to find out which condition is not matching. Once you know that, you can find a solution to the problem.

Thanks herman & chulcher

I created the preauth role and enforced the same from clearpass, now it is working fine ! 

But i'm running into a different issue i just noticed, after user's email confirmation, the role_ID is being updated to 3 correctly in the endpoint database of that user. But when reauthentication happens (after 5 minutes), the user is not matching the role mapping of [Mac Caching] which is as per the below  

As per the existing endpoint details, the role id is 3, the account is enabled and not expired, but yet not matching this condition, rather always hitting condition #2 in the enforcement profile which is allow-access and update role to 3. the same is happening while user is continuously connected and reauth happening every 5 min,

Any ideas what might be the issue ?

Any modern workflow for captive portal, especially ones where you want to enable Enhanced Open with MAC caching, require using the pre-auth role so that the captive portal is being enforced at the role rather than the WLAN.  Note, if you configure the WLAN as "employee" rather than "guest", then you have complete control over everything using the roles (including pre-auth) rather than the very old method of forcing captive portal behavior at the WLAN.

Hello Team

I'm trying to configure an email authentication captive portal based ssid where the guest will self sponsor his account via email. I'm following this tech note : 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US

The logic is as follow 

-guest should submit the captive portal form 

-get connected (radius request will hit mac caching service), where he'll receive the email confirmation and his endpoint entry will be updated to known in clearpass

-if confirmed, his role will be overriden to employee (role ID = 3), if not then it will stay guest (Role ID=2)

-leveraging on the reauth interval in SSID setting in instant (we mentioned it as 5min), then after 5min client will be reauthenticated and new radius access request will hit the mac auth. service (username equals mac address). The enforcement profile config is as below 

My issue is in the last condition, in case the guest didn't confirm his account, his endpoint is being updated to unknown and then he is being enforced with the CaptivePortalRole, but he is still connected normally without being redirected to the page.  I'm wondering how this should work in instant as in the roles we arent specifying the captive portal as we do in the controller based role. 

Appreciate your insights ! 

Thanks,,

Dears Herman,ariyap

Please refer to the below flow, 
-after client submitting the form, radius access request sent by AP including email as username, thus hitting the user-authentication service, please see the below screenshot from access tracker,

-At this point i received the sponsorship email and confirmed, i checked in the guest portal for the same account, the Role_ID is successfully overridden to employee (ID=3)

-After 5 min, which is the reauth interval configured on Aruba Instant, we are receiving a new radius request, this time hitting the mac-auth service, as the username=mac-address,
the request here will match the second rule of the following profile, 
the flow here is correct and the correct profile is being enforced (to update the endpoint role_id to 3), below is a screenshot

Right after, i checked the endpoint attributes, the Role_ID was successfully changed to 3. 

-Next after 5 min, a new auth msg is sent by the AP for the same client, but rather than matching for the MAC-Caching role, it is again matching the second role, which is = update role to 3, actually all the below conditions are complied, but still not matching with it, 

And yes, we are using the endpoint, guest and time sources for authorization ... 

Any insights for what might be the issue here ? Thanks Alot !

Do you have the [Time Source] , [Endpoints Repository] and [Guest User Repository] added as authorization source? If the role [MAC Caching] is not applied, then at least one of the conditions is not met. From Access Tracker you should be able to see each of the attributes and it's value then check if it would mach or not. If it's not clear which condition does not match, you could replicate the role mapping rule into some variants that check a subset to find out which condition is not matching. Once you know that, you can find a solution to the problem.

Thanks herman & chulcher

I created the preauth role and enforced the same from clearpass, now it is working fine ! 

But i'm running into a different issue i just noticed, after user's email confirmation, the role_ID is being updated to 3 correctly in the endpoint database of that user. But when reauthentication happens (after 5 minutes), the user is not matching the role mapping of [Mac Caching] which is as per the below  

As per the existing endpoint details, the role id is 3, the account is enabled and not expired, but yet not matching this condition, rather always hitting condition #2 in the enforcement profile which is allow-access and update role to 3. the same is happening while user is continuously connected and reauth happening every 5 min,

Any ideas what might be the issue ?

Any modern workflow for captive portal, especially ones where you want to enable Enhanced Open with MAC caching, require using the pre-auth role so that the captive portal is being enforced at the role rather than the WLAN.  Note, if you configure the WLAN as "employee" rather than "guest", then you have complete control over everything using the roles (including pre-auth) rather than the very old method of forcing captive portal behavior at the WLAN.

Hello Team

I'm trying to configure an email authentication captive portal based ssid where the guest will self sponsor his account via email. I'm following this tech note : 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US

The logic is as follow 

-guest should submit the captive portal form 

-get connected (radius request will hit mac caching service), where he'll receive the email confirmation and his endpoint entry will be updated to known in clearpass

-if confirmed, his role will be overriden to employee (role ID = 3), if not then it will stay guest (Role ID=2)

-leveraging on the reauth interval in SSID setting in instant (we mentioned it as 5min), then after 5min client will be reauthenticated and new radius access request will hit the mac auth. service (username equals mac address). The enforcement profile config is as below 

My issue is in the last condition, in case the guest didn't confirm his account, his endpoint is being updated to unknown and then he is being enforced with the CaptivePortalRole, but he is still connected normally without being redirected to the page.  I'm wondering how this should work in instant as in the roles we arent specifying the captive portal as we do in the controller based role. 

Appreciate your insights ! 

Thanks,,

Do you have the [Time Source] , [Endpoints Repository] and [Guest User Repository] added as authorization source? If the role [MAC Caching] is not applied, then at least one of the conditions is not met. From Access Tracker you should be able to see each of the attributes and it's value then check if it would mach or not. If it's not clear which condition does not match, you could replicate the role mapping rule into some variants that check a subset to find out which condition is not matching. Once you know that, you can find a solution to the problem.

Thanks herman & chulcher

I created the preauth role and enforced the same from clearpass, now it is working fine ! 

But i'm running into a different issue i just noticed, after user's email confirmation, the role_ID is being updated to 3 correctly in the endpoint database of that user. But when reauthentication happens (after 5 minutes), the user is not matching the role mapping of [Mac Caching] which is as per the below  

As per the existing endpoint details, the role id is 3, the account is enabled and not expired, but yet not matching this condition, rather always hitting condition #2 in the enforcement profile which is allow-access and update role to 3. the same is happening while user is continuously connected and reauth happening every 5 min,

Any ideas what might be the issue ?

Any modern workflow for captive portal, especially ones where you want to enable Enhanced Open with MAC caching, require using the pre-auth role so that the captive portal is being enforced at the role rather than the WLAN.  Note, if you configure the WLAN as "employee" rather than "guest", then you have complete control over everything using the roles (including pre-auth) rather than the very old method of forcing captive portal behavior at the WLAN.

Hello Team

I'm trying to configure an email authentication captive portal based ssid where the guest will self sponsor his account via email. I'm following this tech note : 

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US

The logic is as follow 

-guest should submit the captive portal form 

-get connected (radius request will hit mac caching service), where he'll receive the email confirmation and his endpoint entry will be updated to known in clearpass

-if confirmed, his role will be overriden to employee (role ID = 3), if not then it will stay guest (Role ID=2)

-leveraging on the reauth interval in SSID setting in instant (we mentioned it as 5min), then after 5min client will be reauthenticated and new radius access request will hit the mac auth. service (username equals mac address). The enforcement profile config is as below 

My issue is in the last condition, in case the guest didn't confirm his account, his endpoint is being updated to unknown and then he is being enforced with the CaptivePortalRole, but he is still connected normally without being redirected to the page.  I'm wondering how this should work in instant as in the roles we arent specifying the captive portal as we do in the controller based role. 

Appreciate your insights ! 

Thanks,,