Q: Is it possible to block the guest user device even when it performs mac authentication(MAC Caching) when the associated guest user account is blacklisted?
We have a setup in ClearPass where the guest user account will be blacklisted after exceeding the defined bandwidth or session duration. The guest users are denied access only when they perform user authentication via the captive portal. The same guest network is also enabled with mac caching for 24 hours and the clients are allowed to pass mac authentication throughout the cached duration and we have noticed that the devices that belong to the blacklisted user can also pass authentication during this 24 hours mac caching.
Expected behavior,
When the guest user account is blacklisted, the associated user devices should be denied/blocked access on guest network/SSID no matter whether it is user or mac authentication.
A: Mapping the [Blacklist User Repository] as authentication source in the guest services will deny access to the black-listed user only when the authentication username matches the user_id in the repository. But in guest mac caching/authentication, the authentication user id will be the client mac address and may not match the user_id the [Blacklist User Repository].
Solution,
During the guest user authentication, the authentication username and guest role id will be added to the client mac address in the endpoint repository as shown below,
You can add the attribute "Endpoint:Username" in the default filter query of [Blacklist User Repository] to deny/reject access to the guest devices even when it performs mac authentication.
To do that, login to Policy Manager and navigate to Configuration >> Authentication >> Sources >> [Blacklist User Repository] >> Attributes and modify the query as shown below.
Default query,
SELECT 'password' as user_password,
CASE WHEN bandwidth_limit_exceed = TRUE THEN 228
WHEN session_duration_exceed = TRUE THEN 229
WHEN session_count_exceed = TRUE THEN 230
END AS Account_Status FROM tips_post_auth_enf_log WHERE user_id = '%{Authentication:Username}' order by timestamp desc limit 1
Modified Query(just added the attribute "Endpoint:Username",
SELECT 'password' as user_password,
CASE WHEN bandwidth_limit_exceed = TRUE THEN 228
WHEN session_duration_exceed = TRUE THEN 229
WHEN session_count_exceed = TRUE THEN 230
END AS Account_Status FROM tips_post_auth_enf_log WHERE user_id = '%{Authentication:Username}' OR user_id='%{Endpoint:Username}' order by timestamp desc limit 1
Note: The authentication username should be added to the Endpoint during guest user authentication. If the mac caching enforcement is not included in the guest user authentication service or the username is not being update to the endpoints. Then just create a new service for the guest authentication using the service template "Guest Authentication with MAC Caching" under Policy Manager >> Configuration >> Start Here, this service template will create the required enforcement to update the guest username to the endpoints.
