1. Manuals
  2. Brands
  3. AMIGOPOD Manuals
  4. Software
  5. PowerConnect W Clearpass 100 Software
  6. Manual

AMIGOPOD PowerConnect W Clearpass 100 Software Manual

Auto create mac auth account (authentication based) technote
Hide thumbs Also See for PowerConnect W Clearpass 100 Software:
Table of Contents

Advertisement

Quick Links

Download this manual
Amigopod
Auto Create MAC Auth Account
(Authentication Based)

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the PowerConnect W Clearpass 100 Software and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for AMIGOPOD PowerConnect W Clearpass 100 Software

Summary of Contents for AMIGOPOD PowerConnect W Clearpass 100 Software

  • Page 1 Amigopod Auto Create MAC Auth Account (Authentication Based)

  • Page 2: Legal Notice

    Copyright © 2011 Aruba Networks, Inc. Aruba Networks trademarks include Airwave, Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners.

  • Page 3: Table Of Contents

    Table of Contents     Introduction ............................4   Audience ..................................4   Document Overview ...............................4     Solution Summary ........................... 5   Prerequisites ..................................5   Test Environment ................................5   Aruba Controller Configuration ............................5   RADIUS Server Definition ............................5   MAC Authentication Profile ............................6  ...

  • Page 4: Introduction

    Introduction This technical note explains the configuration process for enabling the automatic creation of a MAC authentication user account within the Amigopod database based on a successful Web Login Authentication. The use case for this design is to allow a device once initially authenticated via Captive Portal to have transparent network access on any subsequent connection to the network.

  • Page 5: Solution Summary

    Aruba 651 Controller with inbuilt WiFi Access Point (6.1.0.0-beta with PEF License)  iPhone, iPad, Mac Book Pro MAC OS X, Dell Windows XP Aruba Controller Configuration The configuration discussed in this Tech Note assumes that the Aruba Controller has been configured with an SSID that has RADIUS MAC Address Authentication enabled with Failover to Captive Portal.

  • Page 6: Mac Authentication Profile

    key 10795ff19c00465dd0b0824e562103bee537be631e5bc876 MAC Authentication Profile aaa authentication mac "amigopod-mac" case upper delimiter dash AAA Profile aaa profile "amigopod-aaa" authentication-mac "amigopod-mac" mac-default-role "authenticated" mac-server-group "amigopod-srv" radius-accounting "amigopod-srv" rfc-3576-server "172.16.0.20" Captive Portal Profile aaa authentication captive-portal "amigopod-cp" server-group "amigopod-srv" redirect-pause 3 no logout-popup-window protocol-http login-page "http://172.16.0.20/aruba_login.php"...

  • Page 7: Ssid Profile

    aaa-profile "amigopod-aaa" ssid-profile "MAC-Auth-CP" SSID Profile wlan ssid-profile "MAC-Auth-CP" essid "amigo-MAC-CP" Amigopod |Technical Note Auto Create MAC Account|7...

  • Page 8: Amigopod Configuration

    Amigopod Configuration RADIUS Role for MAC Accounts Create new RADIUS role to hold the logic for the automatic creation of the MAC account. This role can contain any standard RADIUS or Aruba specific attributes that make sense within your deployment. In the example shown below, the Aruba-User-Role VSA is being used to signal to the Aruba controller to place all MAC authenticated clients into an ArubaOS Role of MAC- Guest.
  • Page 9 Once the changes to the new RADIUS Role have been saved, the current list of available Role will be listed as shown in Figure 2 below: Figure 2. List of available RADIUS Roles. Note the Role ID listed in the left most column of this table (in this case role_id 5) as this will be required for the next step and will be referenced in the condition expression configured to automatically create the MAC authentication account.

  • Page 10: Radius Role To Trigger Mac Address Account Creation

    RADIUS Role to trigger MAC Address Account Creation This Role should be assigned to all users that you wish to allow the automatic creation of MAC Authentication accounts. Depending on your deployment model, this maybe accounts that have been created through the Amigopod standard Guest Manager interface or potentially authenticated via external Authentication server such as Active Directory or LDAP.
  • Page 11 Add MAC Account Creation attribute To automatically create the new MAC authentication account, a condition expression is used within a Null attribute. This conditional expression will call internal Amigopod libraries to create the MAC authentication account based on the received Calling-Station-ID in the RADIUS Authentication Request packet.
  • Page 12 // We are caching the MAC for a local user account. ‘id’ only exists for local accounts && ((!empty($user['id']) && NwaCreateUser(array( // Required field to act as the confirmation. 'creator_accept_terms'=>1, // The normalized MAC. 'mac'=>$mac, // Flag as a MAC so it shows in List Devices. 'mac_auth'=>1, // The role ID.
  • Page 13 NOTE The role_id value in this expression will need to match the Role ID of the RADIUS Role created in the previous step (role_id of 5 in this example). In cases where you want the role to be the same as the original, you can use $user[‘role_id’] in lieu of the numeric value.
  • Page 14 The diagram in shows an example of the configuration of this Null Attribute. Figure 5. Sample of conditional expression used to create the MAC Authentication account. Now that these two RADIUS roles have been configured the underlying logic is in place to support the authentication and automatic creation of MAC Authentication accounts.

  • Page 15: Testing The Workflow

    Testing the Workflow In order to test the workflow of the proposed design, there first needs to be an account in the local Amigopod Guest Manager database that is assigned to the MAC-Auth RADIUS Role created in the previous section. Create Test Account Navigate to the Guests >...

  • Page 16: Initial Connection Attempt

    Returning to the List Accounts view, the newly created account is now visible and the role assignment to MAC-Auth can be verified as shown in Figure 7. Figure 7. List Accounts view with new test account. Initial Connection Attempt From a test WiFi device, connect to the MAC Auth SSID. In this example the SSID is Amigo-MAC- CP to represent the MAC Authentication with Captive Portal failover configuration.
  • Page 17 By opening the test device web browser, the Internet session should be redirected to the Web Login page as shown in Figure 8 below. Figure 8. Sample Web Login page hosted on Amigopod Logging in with the Test Account created previously, the user will be granted access to the network initially based on the configuration of the Captive Portal Profile on the Aruba controller.

  • Page 18: Subsequent Connection Attempt

    Subsequent Connection Attempt Assuming the test device has now logged out of the wireless network and attempts to reconnect to the same WiFi SSID of Amigo-MAC-CP, the user experience should now be transparent login based on the RADIUS MAC Authentication. This can be confirmed by again navigating to the RADIUS >...

  • Page 19: Summary

    Summary In review this solution provides a businesses with a zero touch method of registering web enabled devices for transparent authentication moving forward. Once the device is first authenticated via the Captive Portal process, all subsequent authentications are transparent via the background RADIUS MAC Authentication.

  • Page 20: Appendix - Browser Detection Extension

    Appendix – Browser Detection Extension The following discussion provides an overview to how some advanced Amigopod configurations can be leveraged to prevent a non-mobile device from attempting to authenticate to this MAC registration SSID. The use case for this might be a business that wishes to provide its employees a method of self-provisioning their mobile device for transparent wireless access.

  • Page 21: Create Browser Redirect Page

    Create Browser Redirect Page Navigate to Customization > Web Logins and click on the Create New button. Give the Web Login page a meaningful such as Browser Detection Redirect and then specify a Page Name that will form the basis of the URL hosted on Amigopod. For example, a Page Name of login_redirect would result in the URL of http://<Amigopod IP or FQDN>/login_redirect.php This Page Name will then be referenced in the Captive Portal Profile on the Aruba Controller.

  • Page 22: Create Laptop Detected Error Page

    Create Laptop Detected Error Page Navigate to Customization > Web Logins and click on the Create New button. Give the Web Login page a meaningful such as Detected Laptop Error Page and then specify a Page Name that will form the basis of the URL hosted on Amigopod. For example, a Page Name of laptop_detect would result in the URL of http://<Amigopod IP or FQDN>/laptop_detect.php This Page Name is referenced in the logic inserted in the HTML Header section of the previous...

  • Page 23: Update The Captive Portal Profile

    Update the Captive Portal Profile Back on the Aruba Controller, the Captive Portal Profile needs to be updated to reflect the new termination point for the initial redirect. Given the Page Name defined in the above step the new login page needs to be defined as http://<Amigopod IP or FQDN>/login_redirect.php as shown in the configuration extract below:...

  • Page 24: Appendix - Limiting Paired Devices

    Appendix – Limiting Paired Devices It may be desired to limit the number of MAC devices that are created and tied to a single user account. This can be accomplished with a change to the role expression. return ($MAX_MAC_ACCOUNTS && (NwaRadiusLocalServer()->GetUserCount(array( 'sponsor_name' =>...
  • Page 25 && (NwaRadiusLocalServer()->GetUserCount(array( // sponsor_name is set to the username on create. 'sponsor_name' => strtolower(GetAttr('User-Name')), // delete_time is 0 for valid accounts. 'delete_time' => 0, // Only search for devices. 'mac_auth' => // Check that the returned count is greater than the allowed. >= $MAX_MAC_ACCOUNTS) // If it is, then the AccessReject()* will stop the rest of the expression.

This manual is also suitable for:

Amigopod

Table of Contents