Aruba Clearpass - How to configure the Cisco WLC for Guest and MAC Caching by Ulises Cázares
Hi this is a step by step on how to configure an SSID in a functional Cisco WLC (8.10) for Guest Authentication and MAC Caching using Aruba Clearpass
General Steps (this guide assumes you have correctly configured the Clearpass side)
- Create an Authentication Server (The secret is the same as the one configured in Clearpass)
- Create an Accounting Server (The secret is the same as the one configured in Clearpass)
- Configure the WebAuth login Page (use the configured guets login page in Clearpass)
- Make sure the Web Auth Certificate points to the virtual IP in the WLC
- Create the FlexConnect Access List (or IPV4)
- Make sure WebAuth SecureWeb is enable
- Configure the SSID with the appropiate settings
1.- Create an Authentication Server
2.- Create an Accounting Server
3.- Configure the WebAuth login Page (in this example is; guest.demo-clearpass.net/cisco_login.php)
Note.- In order to avoid the security warnings in the conencting devices, install the appropiate certificate in Clearpass with the CN or SAN matching the host part of the URL used here.
4.- Make sure the Web Auth Certificate points to the virtual IP in the WLC
5.-Create the FlexConnect Access List (or IPV4)
This ACL is used to let the client device reach Clearpass, DNS, the WLC's virtual IP and make ping
Note.- If your Cisco APS are in FlexConnect mode use the FlexConnect ACL but if they are in local mode use the IPV4 ACL
6.- Make sure WebAuth SecureWeb is enable
7.- Configure the SSID with the appropiate settings
Check the MAC Filtering box in Layer 2
In Layer 3
- Layer 3 security : Web Policy
- Use On MAC Failure
- Redirect URL (The Clearpass login page)
- Use the create ALC in WebAuthFlex
- WebAuth Type : External (Re-direct to external server)
Use the created Authentication y Accounting servers in AAA servers
Check the Allow AAA override box
Thanks to my friend Esau who let me use his WLC VM to configure the settings and get the images.
Hope this helps!!!
excellent post.
ReplyDeleteI am not afraid to be wrong, it is the only post where I have seen well explained the topic of mac-caching with Cisco and ClearPass.
And you are welcome to use my VM, I owe you several friend.
How did you configure the ClearPass part? I assume that you are using CoA to change the authorization after a successful login?
ReplyDeleteFor the Clearpass part, in this case, I use the CLearpass wizard for Guest with Mac Authentication.
DeleteThe only things I changed were:
* The NAS Vendor setting in the self-registration page to macth the virtual IP of the WLC
* Either if it's controller initiated or not in that same page of the vendor setting since somethings with Cisco is one or the other.
For the CoA to work: I enabled it in the authentication profile in the WLC and selec the checkbox in Clearpass in he Device's settings.
If you have a specific doubt in Clearpass let me know.
hola Ulises , twngo algunas dudas en el tema d elos certificados de como afectan al hacer el post del clear pass a la controladora . Podria comentarte mis dudas ? gracias
ReplyDelete