08-01-2013 05:35 AM
ClearPass ver 220.127.116.1146 on CP-VA-500
OK we have MAC cache turned on in the web logins page. and it all works for access. Guest signs in the first time and gets a MAC account for the endpoint.
My first Question is. Does the Expiration Date on the MAC account match the Experation date on the Guest Account?
My second question. When I disable the guest user account I am still seeing the user get access through the endpoints MAC account. Is there a way to stop this?
08-01-2013 05:44 AM
Did u made your mac db profile on the controller? or on the clearpasss db?
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
08-02-2013 05:11 AM
On the controller I set up pretty standard MAC auth - in the AAA profile I used default MAC profile and listed the ClearPass server group - this is the same location captive portal goes to
On ClearPass I made two services one to process Mac auth and one to process the guest auth .
I can see the user Mac process the services in access tracker and they show up as known in the endpoints list so they are getting in the endpoints database
08-14-2013 01:23 AM
I still have not found a solution to this.
In testing when I disable the guest account on CPPM - the MAC in the endpoints database still allows the guest to authenticate until the original expiration of the guest account
08-21-2013 04:53 AM
you could lower the experation time on the MAC entries? or delete it when you disable the account. but beyond that i dont see a nice way to solve this.
08-22-2013 12:08 PM
Actually I have found that this has been taken care of in version 6.2 of CPPM/Guest. Actually in version 6.1.2 (look in release notes) bug fix corrected the behaviour where CPPM now checks for the original guest account status when authenticating a MAC cached user. Thus if the client disconnects and reconnectes the MAC cache entry is expired if the guest account is expired. Also in Version 6.2 a bug fix corrected the behaviour where now when you disable the guest account it sends a CoA record to the RFC-3576 server and will deauthenticate the client.
Also optionally you can chenge the MAC cache timeout from the default of 1 day to hours or even minutes- this is a rule setting in enforcement. where the rule : Authorization:[Insight Repository]:Days-Since-Auth LESS_THAN can be changed to other time settings.