11-14-2015 09:43 PM
Running into a small issue with the authorization attributes and using them to do role mappings.
ClearPass Version: 6.5.4.x
- A new domain joined laptop attempts to connect to our wireless for the first time. It is using MSCHAPv2.
- Laptop is able to successfully authenticate. Upon successul authentication, it's endpoint profile is updated in the follows ways. It's status is set to "known" and an attribute is written in identifying which location it is from.
- I then sign in on this laptop. As a user I also perform authentication against the wireless. My authentication is rejected because I am missing a role mapping.
- I then go to the endpoints DB and clear the policy evaluation cache and attempt to reauthenticate. I am able to successful get connected to the wireless. I can also get connected if I allow the timer on the evaluation cache to timeout on it's own.
Initially I thought the Policy Evalution cache was causing the issue. I noticed though that with my user authentication attempt the evaluation cache had been updated.
What I did notice was that the Authorization Attributes are not completly updated. The "Status" attribute does not match the Endpoints DB.
I have a role mapping rule that looks at the following two attributes from the Endpoints db:
- (Authorization:[Endpoints Repository]:Status EQUALS Known)
- (Endpoint:[Corporate Asset] EQUALS USA) *Custom Attribute*
If both these attributes are true then a role is assigned.
When I looked at my authentication (user auth) attempt I can see the corporate asset attribute is computed, however, the Status still shows as "Unknown".
When I check the Endpoints DB itself, it shows the status as "Known".
I am assuming that the ClearPass is using a cache that was generated from the machines first attempt at authenticating, which is why the status is the only thing that isn't correct. Because at the time of the authentication, the endpoint's status hadn't been updated. It is weird though because on the Policy Evaluation cache tab, there is no mention of endpoint information. So I was assuming it was only caching roles. But it seems it caches more.
Would this be the case?
I can work around this, but I am just curious if anyway else has seen this behavior?
Solved! Go to Solution.
11-18-2015 08:34 AM
Have you tried amending the cache timeout value on the Endpoint Repository as below:
Sounds like the Authorisation attributes have been cached from the initial authentication request.
ACDX #98 | ACMP | ACCP
11-23-2015 08:16 AM
Sorry for my late response.
Yes I suspect the samething is happening.
I have never played around with the cache timeout value for the Endpoint Respository.
Is there another recommended value that can be placed here?
12-26-2015 06:36 AM
This makes sense.
What I ended up doing was removing the requirement for "Known" device.
I now just rely on the custom attribute that I apply to the endpoint profile.
This seems to be working reliably.
I think it is probably better I avoid adding to much additional load to the servers if it is not necessary.