Aruba Clearpass - How to configure the Cisco WLC for Guest and MAC Caching by Ulises Cázares

 Hi this is a step by step on how to configure an SSID in a functional Cisco WLC (8.10)  for Guest Authentication and MAC Caching using Aruba Clearpass

General Steps (this guide assumes you have correctly configured the Clearpass side)

  1. Create an Authentication Server (The secret is the same as the one configured in Clearpass)
  2. Create an Accounting Server (The secret is the same as the one configured in Clearpass)
  3. Configure the WebAuth login Page (use the configured guets login page in Clearpass)
  4. Make sure the Web Auth Certificate points to the virtual IP in the WLC
  5. Create the FlexConnect Access List (or IPV4)
  6. Make sure WebAuth SecureWeb is enable
  7. Configure the SSID with the appropiate settings

 

1.- Create an Authentication Server


2.- Create an Accounting Server


 3.- Configure the WebAuth login Page (in this example is; guest.demo-clearpass.net/cisco_login.php)

 Note.- In order to avoid the security warnings in the conencting devices, install the appropiate certificate in Clearpass with the CN or SAN matching the host part of the URL used here.

 

4.- Make sure the Web Auth Certificate points to the virtual IP in the WLC

 

 

5.-Create the FlexConnect Access List (or IPV4)

This ACL is used to let the client device reach Clearpass, DNS, the WLC's virtual IP and make ping 

Note.- If your Cisco APS are in FlexConnect mode use the FlexConnect ACL but if they are in local mode use the IPV4 ACL

 

6.- Make sure WebAuth SecureWeb is enable

 

7.- Configure the SSID with the appropiate settings

 

 

Check the MAC Filtering box in Layer 2

 

 In Layer 3

  • Layer 3 security : Web Policy
  • Use On MAC Failure
  • Redirect URL (The Clearpass login page)
  • Use the create ALC in WebAuthFlex
  • WebAuth Type : External (Re-direct to external server)

 

 Use the created Authentication y Accounting servers in AAA servers

 

Check the Allow AAA override box


Thanks to my friend Esau who let me use his WLC VM to configure the settings and get the images.


Hope this helps!!!




Comments

  1. EsaúMarch 20, 2022 at 8:18 PM

    excellent post.

    I am not afraid to be wrong, it is the only post where I have seen well explained the topic of mac-caching with Cisco and ClearPass.

    And you are welcome to use my VM, I owe you several friend.

    ReplyDelete
  2. Jonatan HovgaardMarch 31, 2023 at 5:31 AM

    How did you configure the ClearPass part? I assume that you are using CoA to change the authorization after a successful login?

    ReplyDelete
    Replies
    1. Ulises CazaresApril 3, 2023 at 9:04 AM

      For the Clearpass part, in this case, I use the CLearpass wizard for Guest with Mac Authentication.
      The only things I changed were:
      * The NAS Vendor setting in the self-registration page to macth the virtual IP of the WLC
      * Either if it's controller initiated or not in that same page of the vendor setting since somethings with Cisco is one or the other.


      For the CoA to work: I enabled it in the authentication profile in the WLC and selec the checkbox in Clearpass in he Device's settings.

      If you have a specific doubt in Clearpass let me know.

      Delete
  3. raquel de araJuly 13, 2023 at 10:14 AM

    hola Ulises , twngo algunas dudas en el tema d elos certificados de como afectan al hacer el post del clear pass a la controladora . Podria comentarte mis dudas ? gracias

    ReplyDelete

Post a Comment

Popular posts from this blog

Using API in ArubaOS Switches with Postman by Ulises Cázares

Image
 Hi, today I'm gonna show how to interact with the Aruba OS version 16.10 switches API using postman. My intention is that you know how to construct the request using headers, parameters and the body of the request. The first things to start working with the switch API are: to have administrative access to the device and to make sure of the switch version so you can look for the appropiate document. Remember, APIs can change form version to version.  You can use the command: show version. In my case is 16.10 Then you can make a quick search in google like "Aruba switch 16.10 API" to get the document and find out what are the option provided in the API. In the document you will find examples using curl and that's why i'm writting this in postman, so you have options. Now, let's do 4 thing so you can use the API: Make sure the REST interface is enable or enable it Login to the device API Construct a GET request Construct a POST request  Make sure the REST inter
Read more

WiFi - How to know supported channels by a wireless client by Ulises Cázares

Image
 Hi, in this post I would tell you how to be sure which WiFi channels are supported by a wireless client so we can configure wireless solutions that will work with the endpoints in the environment. I normally approach this topic in 2 ways 1. Directly in the wireless client This one is the obvious option but, in my experience, the majority of wireless clients don't show that in any part of the configuration. Because wireless clients are very different and their configurations menus too there's no way to show a "common" path to see the supported channels(if the wireless client shows them)   2.- Use a wireless adapter in monitor mode and wireshark to see an Association Request paquet from the client. In the following images we'll see where in the association request we can see that information.    The fastest way to do it is to follow these steps: Put the wireless adapatar in monitor mode in the AP channel we'are going to connect the wireless client Open wireshar
Read more