Deployment Guide

ManualsBrandsDell ManualsAccess PlatformsW-Clearpass 100 Software

291

292

293

294

295

296

297

298

299

300

ClearPass Guest 3.9 | Deployment Guide Guest Management | 293

Any of the other standard fields can be added similar to importing regular guests.

Advanced MAC Features

2-Factor Authentication

2-factor authentication checks against both credentials and the MAC address on record.

Tying the MAC to the visitor account will depend on the requirements of your deployment. In practice you

would probably add mac as a text field to the create_user form. When mac is enabled in a self-registration

it will be included in the account as long as mac is passed in the URL. Relying on self-registration may

defeat the purpose of two-factor authentication, however.

The 2-factors are performed as follows:

1. Regular RADIUS authentication using username and password

2. Role checks the user account mac against the passed Calling-Station-Id.

Edit the user role and the attribute for Reply-Message or Aruba-User-Role. Adjust the condition from

Always to Enter conditional expression.

return !MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) && AccessReject();

There is an alternative syntax where you keep the condition at Always and instead adjust the Value.

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? $role["name"] :

AccessReject()

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : AccessReject()

MAC-Based Derivation of Role

Depending on whether the MAC address matches a registered value, you can also adjust which role is

returned. The controller must be configured with the appropriate roles and the reply attributes mapping to

them as expected.

Edit the Value of the attribute within the role returning the role to the controller.

If you are on the registered MAC, apply the Employee role, otherwise set them as Guest.

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest'

This can be expanded if you create multiple MAC fields. Navigate to Customize > Fields and duplicate

mac. Rename it as mac_byod and then add it to the 'create_user and guest_edit forms. In this example the

account has a registered employee device under mac, and a registered BYOD device under mac_byod.

<?= MacEqual(GetAttr('Calling-Station-Id'), $user['mac_byod']) ? 'BYOD' :

(MacEqual(GetAttr('Calling-Station-Id'), $user['mac']) ? 'Employee' : 'Guest')

User Detection on Landing Pages

When mac is passed in the redirect URL, the user is detected and a customized message displays on the

landing page.

Navigate to Administrator > Plugin Manager > Manage Plugins: MAC Authentication:

Configuration and enable MAC Detect.

Edit the header of your redirect landing page (login or registration) and include the following:

<p>{if $guest_receipt.u.visitor_name}

Welcome back to the show, {$guest_receipt.u.visitor_name|htmlspecialchars}!

{else}

Welcome to the show!

{/if}</p>