3. In the
Policy Manager
row, mark the check box to register the guest’s MAC address with ClearPass Policy
Manager. The Advanced row is added to the form.
4. In the
Advanced
row, mark the check box to enable advanced options in ClearPass Policy Manager. The
Endpoint Attributes row is added to the form.
5. In the
Endpoint Attributes
row, enter name|value pairs for the user fields and Endpoint Attributes to be passed.
6. Click
Save Changes
to complete this configuration and continue with other tasks, or click
Save and Reload
to
proceed to Policy Manager and apply the network settings.
Importing MAC Devices
The standard
Guest > Import Accounts
form supports importing MAC devices. At a minimum the following two
columns are required:
mac
and
mac_auth
.
mac_auth,mac,notes
1,aa:aa:aa:aa:aa:aa,Device A
1,bb:bb:bb:bb:bb:bb,Device B
1,cc:cc:cc:cc:cc:cc,Device C
Any of the other standard fields can be added similar to importing regular guests.
Advanced MAC Features
2-Factor Authentication
2-factor authentication checks against both credentials and the MAC address on record.
Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you would
probably add
mac
as a text field to the
create_user
form. When
mac
is enabled in a self-registration it will be
included in the account as long as
mac
is passed in the URL. Relying on self-registration may defeat the purpose of
two-factor authentication, however.
The 2-factors are performed as follows:
1. Regular RADIUS authentication using username and password
2. Role checks the user account mac against the passed Calling-Station-Id.
Edit the user role and the attribute for
Reply-Message
or
Aruba-User-Role
. Adjust the condition from
Always
to
Enter conditional expression
.
return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject();
There is an alternative syntax where you keep the condition at
Always
and instead adjust the
Value
.
<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? $role["name"] : AccessReject()
or
<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : AccessReject()
MAC-Based Derivation of Role
Depending on whether the MAC address matches a registered value, you can also adjust which role is returned. The
controller must be configured with the appropriate roles and the reply attributes mapping to them as expected.
Edit the
Value
of the attribute within the role returning the role to the controller.
If you are on the registered MAC, apply the
Employee
role, otherwise set them as
Guest
.
<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest'
Dell Networking W-ClearPass Guest 6.0 | Deployment Guide
Importing MAC Devices | 57
Summary of Contents for Networking W-ClearPass Guest 6.0
Page 1: ...Dell Networking W ClearPass Guest 6 0 Deployment Guide ...
Page 12: ...12 DellNetworking W ClearPass Guest 6 0 Deployment Guide ...
Page 26: ...26 Use of Cookies DellNetworking W ClearPass Guest 6 0 Deployment Guide ...
Page 64: ...64 About SMS Guest Account Receipts DellNetworking W ClearPass Guest 6 0 Deployment Guide ...
Page 218: ...218 Viewing the Hotspot User Interface DellNetworking W ClearPass Guest 6 0 Deployment Guide ...
Page 260: ...260 Automatic Logout DellNetworking W ClearPass Guest 6 0 Deployment Guide ...
Page 310: ...310 Glossary DellNetworking W ClearPass Guest 6 0 Deployment Guide ...
Page 320: ...320 Index DellNetworking W ClearPass Guest 6 0 Deployment Guide ...