Self-Register & Self-Sponsor Solution (Validated email) Derin Mellor Aruba Networks Michael Clarke Secure Data Ltd CPPM v 6.3.4 AOS v 6.3.1.8 21 st July 2014 v 1.4 Overview... 3 Workflow... 4 Controller Configuration... 6 User-Roles... 6 User Session Timeout... 6 RADIUS Accounting & CoA... 7 CPPM Configuration... 8 Create Following Roles... 8 Create Following Enforcement Profiles... 10 RADIUS Based Enforcement profiles... 11 Session Restriction Enformcement profiles... 12 CPPM Guest and MAC Authentication Services... 13 CPPM Guest Service... 13 Update demo Guest MAC Caching Profile... 18 Update Roles and Enforcement to reflect new roles created... 18 Update demo Guest MAC Authentication Service... 20
Establishing the Sponsor state... 20 MAC Authentication Service... 22 Role Mapping... 23 Enforcement Policy... 23 CPPM Account Cleanup... 25 CPG Configuration... 27 Create a Self-Sponsored Email Receipt... 27 Create Guest Self-Registration Form... 29 Configure Self-Registration to send a Self-Sponsored Receipt... 30 Edit Registration s Forms& Views... 35 SMTP Configuration... 40 User Experience... 42 Registration State... 42 PreAuth State... 43 Sponsored State... 46 Account Expiry... 51 Administrator Guest Account Control... 53 CPG Active Account Disconnect... 53 CPG Active Account Reauthorize... 53 CPG Disable Guest Account... 54 CPG Delete Guest Account... 54 Extracting Guest Details... 54
Overview It is often requested to verify an email address for auditing purposes. This can be problematic given our purpose is to limit network access to the user. There are two lines of thought with trying to get a user to validate their email. Enforce validation. Restrict access to network unless the user validates their email. The preauth role could be restricted in bandwidth, allowed ports and even certain websites. The user experience would be poor unless they validated the email. We could also have a short timelimited access. Note: I cannot work out how to stop users continuously registering and getting the short time access. Encourage validation. Rather than restricting access and rights, we may want to encourage the user to validate their email and reward them with an enhanced service such as higher bandwidth and opening of vpn ports. This could be useful for retail environments where we want to give the users access, but would like to engage further with the user if they actually go ahead and validate the email. This How-To will focus on the first option and step you through granting someone limited short term access to check their email, and verify the account. After sponsoring the registration, the account is expired and purged after 4 hours. You should change these values depending on your own requirements. It is largely based on How-to:_Sponsored_Self-Registration. Where you read sponsored, think validated. This solution should be considered as Beta and used with caution in a live environment. This solution does not represent an officially sanctioned Aruba solution, but is merely provided for reference purposes. There are probably alternative or better ways of achieving this. You should not deploy this in a live environment unless you have completely validated and understand it within a test environment. This may break your existing deployment. The authors of this solution take no responsibility whatsoever if it breaks your existing Clearpass, causes your controller to catch fire or makes your hair fall out.
Conceptual State Table Workflow This workflow articulates the Conceptual State Table show above: Device Unknown 1) Unknown device connects to Guest SSID 2) Controller forwards MAC Authentication to CPPM Registration 3) CPPM accepts MAC Authentication and assigns Registration captive portal OR CPPM reject MAC Authentication - unknown device This relies on Controller to assign the guest registration role automatically 4) Controller places Guest s device into Registration captive portal (demo-registration) This user-role has a redirect for HTTP/HTTPS traffic to CPPM s guest portal 5) Guest attempts to browse 6) Controller redirects web traffic to CPPM s guest portal 7) CPG presents the guest portal registration page 8) Guest fills in their name and email address and submits 9) CPG emails the login credentials to the guest (self-sponsor) and presents a login page
10) Guest accepts the login page HTTP Post to CPG 11) CPG redirects HTTP login to Controller 12) Controller converts the HTTP Post to a RADIUS Request with the necessary login details PreAuth 13) CPPM accepts the login: moves Device into a demo-preauth role This has internet access for a 10 minute grace period If the Guest is not (self)sponsored within 10 minutes: Device is disassociated from the WiFi and the guest account purged Device Unknown 14) Guest uses this "grace period" to access his/her email 15) Guest "confirms" the emails self-sponsorship This effectively validates the email address 16) CPG receives the sponsor confirmation and update Insight with the information Sponsored 17) CPPM's Lazy Poller polls the Insight and realizes the Self-Sponsorship has occurred: Sends a CoA Disconnect to the Guest device associated NAS During testing the preauth session timeout was set to 5 mins to save time. The CoA seemed to be sent after 8-9 mins. This may have been due to such a short session timeout. Alternatively the Pre-Auth Session-Timeout occurs which as the same effect 18) Device re-associates 19) Controller forwards MAC authentication to CPPM 20) CPPM accepts device based on MAC Cache details Step 17) the Device is disassociated, if there is another available SSID they it will connect to this. If there is only one SSID it will re-associate with this and cause another authentication... NOTE: Subsequent MAC authentications within a state will remain in that state unless something has happened to the user account eg account deleted or disabled or expired.
Controller Configuration User-Roles The Controller, or equivalent, has to be configured with three specific user-roles: Registration: Only allows DHCP and DNS, redirects HTTP and HTTPS to CPG s guest authentication portal page Allows HTTP and HTTPS to CPG Redirect to CPG guest portal demo-registration: Only allows DHCP and DNS, redirects HTTP and HTTPS to CPG s guest authentication portal page. demo-preauth: Currently full access, but this could be restricted if needed. demo-sponsored: Allows for normal guest access to the internet. Currently same rights as preauth role. User Session Timeout The Controller must be configured to accept RADIUS Session-Timeout parameter from CPPM:
RADIUS Accounting & CoA The Controller must be configured with RADIUS Accounting. If using bandwidth control (not tested) Interim Accounting must also be configured. Need Change of Authorization enabled
CPPM Configuration Create Following Roles Create four new roles Unsponsored Device, PreAuth, Sponsored and Expired. These are used to determine the state of the Guest.
Create Following Enforcement Profiles Aruba RADIUS Enforcement profiles
RADIUS Based Enforcement profiles
Session Restriction Enformcement profiles
CPPM Guest and MAC Authentication Services Use the CPPM s Configuration Service Template Guest MAC Authentication to create the Captive Portal Authentication and MAC Authentication services. Enter the relevant vales and create the Service. CPPM Guest Service The Service s Enforcement has to be enhanced to differentiate between PreAuth and Sponsored states. Create new enforcement profiles to match the preauth and sponsored states. You should copy all the existing ones that were created above and change the details as per the screenshots and below table.
Enforcement Profile Name Details demo PreAuth Guest Bandwidth-Check:Allowed-Limit=0 Bandwidth Limit demo PreAuth Guest Do Expire demo PreAuth Guest Expire Post Login demo PreAuth Guest MAC Caching demo PreAuth Guest Session Limit Expiry-Check:Expiry- Action=%{GuestUser:do_expire} Expire-Time- Update:GuestUser=%{GuestUser:expire_postlogin} Endpoint:Username=%{Authentication:Username} Endpoint:Guest Role ID=4 Session-Check:Active-Session- Count=%{GuestUser:simultaneous_use} Post-Auth-Check:Action=Disconnect and block access Notes Unlimited. This may not work properly anyway if enforced due to 10 mins session timeout and interim accounting interval of 10 mins. This will update the Endpoint database with the appropriate role attributes. This is defined by the initial value specified when creating the service. It can be overridden with a
static value if need be. demo PreAuth Guest Session Timeout demo PreAuth Guest User Role demo Sponsored Guest Bandwidth Limit demo Sponsored Guest Do Expire demo Sponsored Guest Expire Post Login demo Sponsored Guest MAC Caching demo Additional Device Sponsored Guest MAC Caching demo Sponsored Guest Session Limit demo Sponsored Guest Session Timeout demo Sponsored Guest User Role Radius:IETF:Session-Timeout=600 Radius:Aruba:Aruba-User-Role=demo-preauth Bandwidth-Check:Allowed-Limit=0 Expiry-Check:Expiry-Action=Disable and Logout Endpoint:Username=%{Authentication:Username} Endpoint:Guest Role ID=5 Expire-Time- Update:GuestUser=%{GuestUser:expire_postlogin} Endpoint:Username=%{Endpoint:Username} Endpoint:Guest Role ID=5 Session-Check:Active-Session- Count=%{GuestUser:simultaneous_use} Post-Auth-Check:Action=Disconnect and block access Radius:IETF:Session-Timeout=1440 Radius:Aruba:Aruba-User-Role=demo-sponsored 10 mins to allow confirmation of email. This will update the Endpoint database with the appropriate role attributes. This is for additional devices (if allowed) when logging in for first time. This is defined by the initial value specified when creating the service. It can be overridden with a static value if need be. 4 hours usage
Update demo Guest MAC Caching Profile Update Roles and Enforcement to reflect new roles created Policy Conditions Condition 1: Number of devices
Only allow one device per user. (This has been set to 3 at the moment for testing purposes) Condition 2: PreAuth This happens when a devices registers and then hits login. They get the preauth role with full access, but with a session-timeout of only 10 mins. NOTE: On testing the roles passed into CPPM s Enforcement Policy at initial login are both PreAuth and [Guest] I believe this is because [Guest] is inherent by the CPPM s guest account. Condition 3: Sponsored This will only be hit if an existing user attempts to login again by entering his username and password credentials this is unlikely due to the MAC Caching. Note: This will also apply if more than one device is allowed for each guest account. When a different device connects and uses a valid username/password, the demo Additional Device Guest MAC Caching with return Endpoint:Username=%{Authentication:Username}. Essentially, this will be the username that the device is using to login with. The endpoint has no value for remaining_expiration yet, so there is no session timeout value sent, though this will be updated in the next mac-auth. Default Condition [Deny Access Profile]
Update demo Guest MAC Authentication Service The primary challenge is to achieve MAC Caching for only Sponsored devices. The challenge with MAC Caching is the useful information about the recently authenticated guest resides in the Insightdb and the endpoint information resides in the tipsdb. Establishing the Sponsor state When the device connects the MAC Auth service needs to valid the Sponsor state. This exits in the Insightdb. CPPM already uses the IETF Calling StationID (MAC address) to extract the Endpoint:Username from the tipsdb. This name can then be used to search the Insightdb to extract the Sponsor state : We need to add an additional attribute to the Insight Repository. SELECT role_name AS sponsor FROM guests WHERE username = '%{Endpoint:Username}';
Remaining Session Timeout We also need to add an attribute to the demo MAC-Guest-Check Authorisation source. This will determine if the session has expired or not. SELECT CAST(EXTRACT(epoch FROM (expire_time - NOW())) AS INTEGER) AS remaining_expiration FROM tips_guest_users WHERE ((guest_type = 'USER') AND (user_id = '%{Endpoint:Username}') and (enabled = 't')) MAC-Expires attribute: Establishes the remaining time prior to the account expiring. Create a new ClearPass Enforcement Profile that returns the remaining session time within the RADIUS Session-Timeout attribute:
MAC Authentication Service This is much more important due to aggressive power saving by SmartDevices. Because of this we have to take into consideration the following scenarios: MAC Authentication during first time connect. MAC Authentication during PreAuth stage. MAC Authentication once sponsored (this includes the initial CoA). When the device causes a MAC Authentication it hits the following service: Set the Authentication to Allow All MAC Auth See Note NOTE: By default the sponsorship confirmation in CPPMv6.3 (beta) does not automatically change the associated device s Endpoint repository Sate from Unknown to Known. This can then be forced with the Enforcement Policy on the first successful MAC Authentication within the Sponsored state. Likewise the Guest Do Expire = 2: Disable and Logout at specified time this then relies on CPPM s CleanUp to purge sponsored accounts. The other consequence of this is that in the Registration state CPPM will assign the unknown device s role (rather than rely on the Controller).
Role Mapping Enforcement Policy
Policy Conditions Condition 1: Non-Expired Sponsored & Unknown Device first MAC Authentication after sponsorship. Note: Originally the role evaluation was set to Evaluate-all, but now set to First-applicable so this rule will probably never be hit, but has been left in. Update Endpoint Known and change attribute in Endpoint DB, RoleID=5 Send Aruba-User-Role=demo-sponsored. Send session-timeout= %{Authorization:demo MAC-Guest-Check:MAC-Expires} Username = %{Endpoint:Username} Condition 2: Non-Expired, sponsored & Unknown device Guest account that has been sponsored by a different device. This is not likely with a short Preauth session, but for longer sessions, this may be relevant. Basically, the account is validated with a different device on a different network (requires Clearpass is accessible, typically over internet). The original device connects, but it is still Unknown. Alternatively, this is the first mac-auth after sponsorship. Update Endpoint Known and change attribute in Endpoint DB, RoleID=5 Send Aruba-User-Role=demo-sponsored. Send session-timeout= demo sponsored session timeout (4 hours) Username = %{Endpoint:Username} Condition 3: Non-Expired, Sponsored & Known device a device that has registered and email validated and has previously done a mac-auth and had endpoint marked as Known after hitting condition 2 above. Update Endpoint Known and change attribute in Endpoint DB, RoleID=5 Send Aruba-User-Role=demo-sponsored Send session-timeout= %{Authorization:demo MAC-Guest-Check:MAC-Expires} Username = %{Endpoint:Username} Condition 4: Non-Expired PreAuth Device a device that has registered but not validated email, and does mac-auth within the 10 mins. Update Endpoint Unknown. Problems during testing with previously registered devices that had not registered and marked as Known. This ensures that only sponsored devices are marked as Known. Send Aruba-User-Role=demo-preauth Send session-timeout= %{Authorization:demo MAC-Guest-Check:MAC-Expires} Username = %{Endpoint:Username} Condition 5: Unknown Device Registration role
Update Endpoint Unknown. Problems during testing with previously registered devices that had not registered and marked as Known. This ensures that only sponsored devices are marked as Known. Send Aruba-User-Role=demo-registration Send session-timeout= 10 mins Condition 6: Expired device- Registration role. Update Endpoint Unknown. Problems during testing with previously registered devices that had not registered and marked as Known. This ensures that only sponsored devices are marked as Known. Send Aruba-User-Role-demo-registration Send session-timeout=10mins Default: [Deny Access Profile] CPPM Account Cleanup Cleaning up CPPM s Guest and Endpoint databases will be important to minimize excessively large obsolete guests and devices. These values may be different depending on the purpose of this solution and circumstances.
When the PreAuth Guest expires it is automatically deleted. But the Device in the Endpoint is not. To clean this up I reduce the Unknown endpoints cleanup interval = 1 day. Once a Guest and Device are registered I rely on CPPM s clean up rather than then Guest Do Expire and Guest Expire Post Login profile options. The Sponsored Guest are kept for a longer time so that their information can be exported via an Insight report.
CPG Configuration Create a Self-Sponsored Email Receipt In Configuration Print Templates duplicate the Sponsorship Confirmation template: Edit the Copy of Sponsorship Confirmation : Change the name to Self Confirmation : Edit the template as you see fit. The default wording is narrated towards a sponsor. Edit it to be towards the guest. At minimum, remove A visitor has requested access naming you as the sponsor. It is vital the link itself remain intact. <a href="{'guest_register_confirm.php' NwaGetAppUrl}?token={$u.register_token rawurlencode}" target="_blank">click here</a>
Edit the message to the visitor
Above shows what the self-sponsorship request looks like. This can be customized as required. Create Guest Self-Registration Form Create a guest self-registration in the normal manner in this example I use demo.
Configure Self-Registration to send a Self-Sponsored Receipt Setup for validated access is within the Receipt Actions section of a self-registration. Navigate to Configruation Guest Self-Registration Receipt Header Click Header under the Receipt Page: Edit the Receipt Header and append something along the lines of: <p> You are being emailed a confirmation email that you must click in order to gain complete access to the network. </p>
Actions Click Actions under the Receipt Page: Check Sponsorship Confirmation
A new section will appear: Make sure this is left blank Select the Self Confirmation printer template
Account will expire after 4 hours New user-role to assign
Edit Registration s Forms & Views Click Back to Guest Self Registration and then edit the demo page. Click on Form to edit the fields Note, previously in 6.2 we edited the guest_register form and changed the values there, but this didn t work when I tried, or rather it did not use this form.
Disable expire_after Disable here Insert After modify_expire_time Select expire_after and click Insert After. In the dropdown select modify_expire_time and allow the page to refresh.
Insert After do_expire
Edit role_id This will be the initial RoleID passed from CPG to CPPM 4 will map to PreAuth role
SMTP Configuration This is configured on CPPM: This can be tested from CPG:
If all working it will appear in you inbox:
User Experience Registration State Guest peers on to SSID Unknown MAC address assign Registration role: Controller: Guest attempts to browse
Controller redirects to CPG s Guest portal CPG respond with guest login screen Guest fills in page and submits At this point CPG sends an email to the supplied email address: CPG presents to the guest a login page: NOTE: This expires in 10 minutes Hitting Log In effectively assigns the PreAuth state. PreAuth State CPG Shows the account created with preauth role CPPM s AccessTracker reports the authentication:
CPPM applies the following PreAuth policy: Controller reports the User Role = demo-preauth = Captive Portal.
Device does a MAC auth before sponsoring. This is reported in CPPM The controller show the device authenticated with MAC auth but still with demo-preauth role.
Sponsored State The user, before their session expires, opens their email and confirms their registration. The user is presented with new session details. NOTE: Account extended by 4 hours CPG now shows the account as sponsored.
Caution: On the controller, the user remains in the pre-auth state. It would appear that although in CPPM the device s session time has been extended, there has not been a CoA triggered by the sponsoring. The user s role will change with the next MAC auth or when the 10 mins has expired and a CoA sent. This could be resolved with a message on the user s screen saying to disconnect and connect again for full access. To be investigated further. Need to send a CoA upon the user sponsoring their device. A subsequent MAC auth by the client shows the user being put into the demo-sponsored role CPPM reports the MAC auth as such. With the output of
The controller now shows the user in a demo-sponsored role with MAC auth. CPPM Endpoint repository reports:
These are inserted by the MAC Caching profile
On reception of the Sponsorship Confirmation CPG updates the endpoints credentials. If the account s expiry time or enabled/disabled or role_id have changed CPPM will initiate a CoA that disconnects the device. Alas I have found this very unreliable in CPPMv6.3 Beta Thankfully, this CoA is not critical assuming the PreAuth role is similar/identical to the Sponsored role when the PreAuth state expires the device s account is already in a Sponsored state, the MAC Auth will automatically accept it. On subsequent connection the device will be in the Sponsored State. NOTE: This can cause problems if there is another available SSID device will connect to that.
Account Expiry If the device subsequently connects while the account has expired, it is blocked it and will be placed in the demo-registration role. If the account is disabled, this will trigger a CoA that will then put the device into the demo-registration role. If expired, then the Mac-Expires attribute has been purged and the device will hit the Expired role. This will be given the Expired role within CPPM. With the output as follows.
Administrator Guest Account Control CPG Active Account Disconnect This forces the device to disconnect. The device immediately performs a new MAC Authentication which is successful as no credentials have changed. CPG Active Account Reauthorize This allows you to dynamically change the role base on the CoA with a Filter-ID = role name. This works fine.
CPG Disable Guest Account Connected device is disconnected within 5 minutes. Believe this is related to the Lazy Poller? Note: This seems to happen straight away now, and the device reconnects and is marked as expired and given demo-registration role. CPG Delete Guest Account Connected device is disconnected within 5 minutes. Account is removed. The associated device in CPPM Endpoint Repository is not removed. Extracting Guest Details Use the CPG s Guest Export Accounts to CSV and process in Excel looking for Role=demosponsored.