CLI command to bypass CWP and change VLans

  • 1
  • Question
  • Updated 3 years ago
  • Answered
The goal is to only have 1 SSID, that if the computers mac address is on a white-list that it will ask for the users AD credentials and if they are in the staff group they will have access to the internet.   If the mac address is white-listed then it would automatically go onto the internet without the CWP.

I am on 6.4r1 and have it partially done.

What works:  
1. The CWP works like it should.   When a user logs on it will be attached to a fake Vlan and pop up with the CWP, if the user is in the staff group it moves them to Vlan 1 and everything works.   If they are not in the staff group it keeps them on the fake Vlan and they cannot go anywhere.

2. Using the below commands typed into the CLI Supplement I am able to enter a mac address that does not get the CWP.
mac-object mac_test mac-range 9cad:9792:64e5 - 9cad:9792:64e5security-object ARSU-Secure security mac-white-list mac-object mac_test
security-object ARSU-Secure security mac-white-list bypass-cwp


What doesn't work: 
1. The problem is that the mac address is treated as if it was a non-staff member logging in and keeps the computer on the fake Vlan.

Is there something I can add to this CLI to make it so that it bypasses the CWP and also moves it to Vlan 1.
Photo of Bjorn Behrendt

Bjorn Behrendt

  • 5 Posts
  • 0 Reply Likes
  • This should be simpler.

Posted 3 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Take a deep breath, take a step back... and do what you conceptually want to achieve properly using 802.1X/RADIUS :) ...And be gone of the abominations that CWPs and matching MAC addresses are, both of which are highly insecure.

CWPs are practically highly unreliable too due to HTTPS (TLS) and are generally considered rather poor practice.
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
If we take this step by step:

1.  There is a CWP so the encryption is layer five and above.  This means that the wireless clients are vulnerable to layer two attacks.

So you have a PSK or PPSK assigned to the WLAN so layer two authentication occurs and the CWP data is "protected" by the layer two encryption.  However, users must now login twice.

2.  The login splash screen and redirect are vulnerable to issues with the wireless client's operating system and web browser.  iOS users are well aware of this issue as Apple spent most of the iOS 7.x.x series breaking CWPs.

3.  Some operating systems do not like moving from one VLAN to another.  Commonly on these operating systems the wireless client will be placed in the original VLAN (in your case a fake VLAN) and, upon passing authentication, will ignore requests to move VLAN so the user is authenticated to the wireless network but cannot get an IP address or access any resources.  This may be what is causing your issue #1.

4.  MAC address filtering is not a security standard (resist the urge Nick :-) ) and is easily bypassed.  Therefore, once one staff members authenticates anybody with basic wireless knowledge will be able to authenticate to the wireless network (the MAC address is sent in clear text).

So how to we resolve this?

You need to complete authentication before the VLAN assignment occurs.  The wired world fixed this issue many years ago with a "port blocking" solution for switches.  The wireless world "borrowed" this concept and adapted it for our requirements and it is called 802.1X.  With 802.1X authentication must be completed before a VLAN is assigned.  If you have a Windows Server you can enable the Network Policy Server role and configure 802.1X.
(Edited)
Photo of Bjorn Behrendt

Bjorn Behrendt

  • 5 Posts
  • 0 Reply Likes
Thank you for your input.    I am willing to try Radius server.   I plan on searching but do you have any guides that you would suggest on how to set it up on Win 2008 Server.

This may be the best place to ask, but the other schools in my district have this working with Meraki, which is using itself as a Radius server.   Is there any way I could use Meraki's internal Radius server as the one for Aerohive?

We were using Mac addresses to distinguish, school owned devices vs student or employee owned.   90% of school owned devices are Chromebooks or iPads.   If Mac addresses are not the best way, how does the Radius server know a school owned device vs personal?
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
No need to engage Meraki, Aerohive integrates well with AD for RADIUS...
http://www.aerohive.com/330000/docs/help/english/6.4r1/hm/full/help.htm#ref/radiusConfig.htm?Highlig...

Best,
BJ 
Photo of Bjorn Behrendt

Bjorn Behrendt

  • 5 Posts
  • 0 Reply Likes
I already have that working.    The problem is in trying to create a situation where school-owned devices (primarily Chromebooks and iPads), skip the portal log on and just work.     

As of right now, with the config from the original post, they skip the portal, but stay on the Fake Vlan as if they were not authenticated.

....... hmmm

As I am writing this I think I know of a solution.   I can swap my VLans so that the default is for VLan 1, but if they are in the student group it moves them to the Fake Vlan.  

(Nick & Crowdie, I know this is not necessarily secure, but I am shooting for a convenient simple solution, with the goal is keeping most personal devices off our network.  If they are smart enough to do anything that you mentioned, I am going to hire them to be on our Student Tech team.).
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Bjorn,
You beat me to it; change the default VLAN to the one where you wish school-owned devices to land, and let client classification move other devices to other VLANs.

And your idea of enlisting the more technically astute students is excellent.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Indeed, but If you did this in the UK, you would break data protection laws if staff accessed any pupil data over the wireless network and some other form of robust, mandated encryption was not in use - like a VPN.

In my opinion, definitely not worth the risk of not doing it properly.

It also doesn't offer adequate, reasonable protection for pupils and staff using the network day-to-day for other purposes.

The guest network is, perhaps ironically, far more secure than the one offered to staff and pupils in such a setup.

Once CWP authentication has been completed, all traffic is in the open.

You simply cannot deploy this way for anything but casual guest access.
(Edited)
Photo of Bjorn Behrendt

Bjorn Behrendt

  • 5 Posts
  • 0 Reply Likes
Nick, we will still have the WPA encryption on the SSID.    The CWP is for those students who figure out the password (often from a teacher who wrote it on a sticky note on their desk).

I do have a question about using an external Radius.   What is the user experience if they are on a Chromebook or iPad which doesn't log into Active Directory?   And how would I distinguish between a school-owned Chromebook from a student owned Chromebook or iPad (I just started playing with Windows NPS in response to this post)? 




Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Ah, if you are using CWP authentication in addition to using a PSK, it's not quite so bad. But still pretty bad where this PSK is widely distributed and for a long time. It's almost akin to it being open at that point. (The guest PSK will at least rotate on a weekly basis making it more secure.)

You are far better using PPSKs (one device per PSK or one user per PSK) or 802.1X (with credentials deployed on a per user, per device or per user-and-device basis - where you issue an credential that is unique for the intersection.)

You distinguish using unique credentials.

Devices do not have to be domain joined or even domain aware. It's entirely decoupled.
(Edited)