Community Expert Day 1/17/14

Reply
MVP
Posts: 289
Registered: ‎11-04-2008

ClearPass 6.2 Policy Enforcement Not Map Correctly

CPPM 6.2, Guest service non-802.1x

 

I have a Policy Enforcement type RADIUS, Default Deny Access with two rules:

  1. Tips role = GUEST-PROVISIONING, actions GUEST_ENF_PF
  2. Tips role = VIP_GUEST, actions VIP_GUEST_ENF_PF

In my Enforcement Profiles:

  1. GUEST_ENF_PF: map to radius: Aruba user role GUEST-LOGON
  2. VIP_GUEST_ENF_PF: map to radius Aruba user role VIP-GUEST

Working:  guest users will hit correct Tips Roles GUEST-PROVISIONING and VIP_GUEST according to my role mapping

 

Not working: My enforcement policy above to assign GUEST_ENF_PF and VIP_GUEST_ENF_PF.  All guests no matter what Tips role will hit Enforcement Profiles [Allow Access Profile]

 

My goal: Using ClearPass Endpoint to profile and assign user roles at the controllers for guests: a role VIP guest will not require Captive Portal, but normal guest role will.

 

Regards,

~Trinh Nguyen~
Boys Town
Aruba Employee
Posts: 10
Registered: ‎05-27-2013

Re: ClearPass 6.2 Policy Enforcement Not Map Correctly

Its strange that you are hitting the [Allow Access Profile] if the enforcement policy is as described. Could you export the logs  from the access tracker by clicking on the export button for that particular request and send it across to analyze.

 

Alternatively you can open a TAC case for someone to take a look at the configuration.

MVP
Posts: 289
Registered: ‎11-04-2008

Re: ClearPass 6.2 Policy Enforcement Not Map Correctly

[ Edited ]

I can't reply with an attached log.  Please download from this link:

 

Log is here

 

~Trinh Nguyen~
Boys Town
Guru Elite
Posts: 8,458
Registered: ‎09-08-2010

Re: ClearPass 6.2 Policy Enforcement Not Map Correctly

[ Edited ]
 

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Aruba Employee
Posts: 10
Registered: ‎05-27-2013

Re: ClearPass 6.2 Policy Enforcement Not Map Correctly

Hi Trinh,

 

I have sent you an email about having a remote session to understand the configuration and troubleshoot the issue. The access tracker logs themselves do not convey the full picture and a web session would be the fastest way to resolve this.

 

PS: I shall update the thread once we have the solution for the benefit of the entire audience.

 

 

MVP
Posts: 289
Registered: ‎11-04-2008

Re: ClearPass 6.2 Policy Enforcement Not Map Correctly

[ Edited ]

 

Fixed my problem by comparing my service with a sample of Service Templates for Guest Mac Authentication.

The correct setting in SERVICE is

Connection Client-Mac-Address EQUALS %{Radius:IETF:User-Name}

But my setting is “NOT-EQUALS

 

Thank you all for your helps!

 

~Trinh Nguyen~
Boys Town
Search Airheads
Showing results for 
Search instead for 
Did you mean: