Security

Hi

we are using Clearpass Policy Manager 6.5.6.81675.

We do guest access authentication with guest module which was working fine. In last weeks users report that they have to reauthenticate several times a day. Problem is clients are suddenly in status unknown.

I tried this with my private phone. Client ist authenticated an is correctly saved in endpoint database. Status is known. 

After some time client has to reauthenticate. I checked endpoint db an the status is suddenly unknown.

Our configuration at first tries to authenticate via mac authentication and endpoint database. Known clients within 90 days should not forced to relogin via capitve portal. But suddenly this does not work anymore.

Use [Allow All MAC Auth] instead of [MAC Auth]. There is no reason to rely on known vs unknown as there are other attributes that are evaluted as part of the MAC caching policy.

There are other attributes which are used. There are guest classes which are set by guestmodule. 

But whats the reason a known client changes its status to unknown?

Under normal conditions, the status in the end-point database only changes because you do that manually or it is done by an enforcement profile (Post Authentication Update Endpoint).

Because between the lines it looks like more data is lost from the endpoint, please check under Server Configuration -> Cluster-wide Parameters -> Cleanup intervals, if you may be have configured the cleanup interval for known or unknown endpoints there. If you did, that will remove the entry from the endpoint DB after a time of inactivity. 

MAC caching uses the Endpoint Database, and for that reason, the entries should not be cleaned up before the end of your 90 days.

Could this be the issue?

The default setting of 0 for cleanup will disable cleaning at all for that category.

Cleanup intervals are configured as you can see in the picture below:

There is a post auth policy which should update status. But it is not working.