Security

Running into a small issue with the authorization attributes and using them to do role mappings.

ClearPass Version: 6.5.4.x

The scenario:

• A new domain joined laptop attempts to connect to our wireless for the first time. It is using MSCHAPv2.
• Laptop is able to successfully authenticate. Upon successul authentication, it's endpoint profile is updated in the follows ways. It's status is set to "known" and an attribute is written in identifying which location it is from.
• I then sign in on this laptop. As a user I also perform authentication against the wireless. My authentication is rejected because I am missing a role mapping.
• I then go to the endpoints DB and clear the policy evaluation cache and attempt to reauthenticate. I am able to successful get connected to the wireless. I can also get connected if I allow the timer on the evaluation cache to timeout on it's own.

Initially I thought the Policy Evalution cache was causing the issue. I noticed though that with my user authentication attempt the evaluation cache had been updated.

What I did notice was that the Authorization Attributes are not completly updated. The "Status" attribute does not match the Endpoints DB.

I have a role mapping rule that looks at the following two attributes from the Endpoints db:

• (Authorization:[Endpoints Repository]:Status  EQUALS  Known)
• (Endpoint:[Corporate Asset]  EQUALS  USA) *Custom Attribute*

If both these attributes are true then a role is assigned.

When I looked at my authentication (user auth) attempt I can see the corporate asset attribute is computed, however, the Status still shows as "Unknown".

When I check the Endpoints DB itself, it shows the status as "Known".

I am assuming that the ClearPass is using a cache that was generated from the machines first attempt at authenticating, which is why the status is the only thing that isn't correct. Because at the time of the authentication, the endpoint's status hadn't been updated. It is weird though because on the Policy Evaluation cache tab, there is no mention of endpoint information. So I was assuming it was only caching roles. But it seems it caches more.

Would this be the case?

I can work around this, but I am just curious if anyway else has seen this behavior?

Cheers

Have you tried amending the cache timeout value on the Endpoint Repository as below:

Sounds like the Authorisation attributes have been cached from the initial authentication request.

Sorry for my late response.

Yes I suspect the samething is happening.

I have never played around with the cache timeout value for the Endpoint Respository.

Is there another recommended value that can be placed here?

i guess that mainly depends on your deployment. if you need low timeout you set it low, but that will mean more lookups and possibly more load.

This makes sense.

What I ended up doing was removing the requirement for "Known" device.

I now just rely on the custom attribute that I apply to the endpoint profile.

This seems to be working reliably.

I think it is probably better I avoid adding to much additional load to the servers if it is not necessary.

good solution, i use that a lot also. better control.

Good to know!

Always curious about how other people tackle the different challenges faced when dealing with wireless acccess.

Cheers